Last modified: 2014-06-12 09:35:10 UTC
Well, the subject say it all. After fixing bug20185 ( Changing your email address should require entering your password, see https://bugzilla.wikimedia.org/show_bug.cgi?id=20185#c5 ) the following problem exists when using OpenID extension in the mode "OpenID only". 1. when a user has added an account via OpenID, and no e-mail data was set-up (from OpenID provider to MediaWiki account) 2. there is already the link "reset password" in Special:Preferences 3. but user cannot set ("reset password") their password 4. because they do not have an e-mail address 5. The cannot set up their e-mail address (with MediaWiki methods), because they do not have a password (required since r92924 . An ad-hoc solution is: - add your e-mail address in your OpenID account, - and let this data be updated in your MediaWiki account when logging in with OpenID. Activate in Special:Preferences#mw-prefsection-openid --> "Update the following information from OpenID persona every time I log in: E-mail address" A) Log-out from MediaWiki. B) Set in your OpenId account that you want to transmit your e-mail address when logging in on the trusted site (your MediaWiki) C) Log-in to MediaWiki D) in Special:Preferences you will find your e-mail address set up E) click "Reset Password" to let the MediaWiki send you a temporary password F) goto your mail program, get the temporary password G) return to your MediaWiki, H) login with the temporary password and change it with a regular one related to bug29027 (solved) and depending on bug20185 . I filed this bug for tracking.
This is *not* a blocker for wikis with OpenID as long as the standard password-login is not disabled ( $wgOpenIDOnly == false ).
No changes / updates for five weeks here - is this really highest priority (which implies some urgency)?
this is a * yes- keep alive ping - busy with even more important thing - this is not cookie licking *
Downgraded to normal. No user has complained so far.
"high" is more appropriate.
In short, this is the "I-cannot-set-up-my-e-mail-address-because-I-do-not-know-my-password" problem. It came up when MediaWiki core changed and required the account password, when users want to set-up or change their e-mail address (which makes definitely sense for security reasons). If someone can help to find a solution, pls. let me know a.s.a.p.
We may want to allow a hook to update that part of the interface, so we could have OpenID (or similar extensions) remove it, whereas other extensions might want to do a 2nd factor check there. Aaron might have another idea, since he implemented the check (iirc).
(In reply to comment #7) > We may want to allow a hook to update that part of the interface, so we could > have OpenID (or similar extensions) remove it, whereas other extensions might > want to do a 2nd factor check there. > > Aaron might have another idea, since he implemented the check (iirc). ok. Please be reminded, that I already introduced a special way for the special case of $wgOpenIDOnly==true This was fixed in 2011 in https://bugzilla.wikimedia.org/show_bug.cgi?id=29027 . See https://bugzilla.wikimedia.org/show_bug.cgi?id=29027#c1 for a detailed description (copied to here for convenience): "fixed in r88848 . When having the OpenID extension, the preference window basic information is changed. The section "Password" shows now links to case i) Change Password and Reset Password: if a password already exists case ii) Reset Password only: if no password has been set for this account yet, because the user opened their account by OpenID - which setPassword( null ) This is at least one possible way and avoids modification of Special:PasswordReset (there is no login page when only OpenID logins and account creations are possible ($wgOpenIDOnly==true) or Special:ChangePassword pages."
I will add this hardening ad-hoc fix to prevent problems in the future: *Disallow* wiki account creation in the case - new user wants to create an account (with their OpenID) and - $wgOpenIDOnly=true (i.e. logins and account creations are only allowed via OpenID) and - no e-mail address present, or e-mail address fails the Sanitizer:validEmail() test. This avoids any account creation without e-mail address, which makes sense because the user could not change ro setup their password without having a (confirmed) e-mail address in their wiki account.
(In reply to T. Gries from comment #6) > In short, this is the > > "I-cannot-set-up-my-e-mail-address-because-I-do-not-know-my-password" > problem. > > It came up when MediaWiki core changed and required the account password, > when users want to set-up or change their e-mail address (which makes > definitely sense for security reasons). > > If someone can help to find a solution, pls. let me know a.s.a.p. Since MW 1.20.0 there is the $wgRequirePasswordforEmailChange parameter. Shouldn't this solve the issue. However, when talking about MW 1.19 we are still out of luck. However there are only 11 months of support left with the succeeding LTS already released. [1] https://www.mediawiki.org/wiki/Manual:$wgRequirePasswordforEmailChange
@kgh thx for pointing me to this
You are welcome. I wish I had seen this bug before. However the big Kudos go to Reedy who made this parameter reality. This one was a life-saver on several of my wikis.