Last modified: 2010-05-15 15:38:05 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 4063 - New user can login with empty password
New user can login with empty password
Status: RESOLVED INVALID
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.5.x
All All
: Normal normal with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-24 17:36 UTC by chris01
Modified: 2010-05-15 15:38 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description chris01 2005-11-24 17:36:54 UTC
If we send out an email to a new user with a random password (from Special:Userlogin) logged in as SysAdmin, then the user can log in with the 
password in the email, but _also_ with an empty password!

This is no longer possible, once the user has logged in and reset his password.

Setting $wgMinimalPasswordLength in LocalSettings.php to a value other than 0 seems to fix this problem.
Comment 1 Brion Vibber 2005-11-24 20:38:24 UTC
Set an initial password in the user creation form, or you're giving it an empty 
password!
Comment 2 chris01 2005-11-25 07:19:47 UTC
(In reply to comment #1)
> Set an initial password in the user creation form, or you're giving it an empty 
> password!

Thanks for the comment. That's what i found as a workaround as well. I still think it is counter intuitive that using the 
method described at http://meta.wikimedia.org/wiki/Access_Restrictions results in a user that has _two_ passwords. One 
random - sent out via email - and an empty password. Or am I missing something?

Comment 3 T. Gries 2005-11-25 07:24:39 UTC
(In reply to comment #2)
> .... I still think it is counter intuitive that using the 
> method described at http://meta.wikimedia.org/wiki/Access_Restrictions results
in a user that has _two_ passwords. One 
> random - sent out via email - and an empty password. Or am I missing something?

No; it results indeed in a user that has _two_ passwords. One random - sent out
via email - and the regular password (which might be empty in your case).
 
Comment 4 T. Gries 2005-11-25 07:27:48 UTC
See also http://bugzilla.wikimedia.org/show_bug.cgi?id=2242 , wherein I proposed
an expiry time for the temporary password

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links