Last modified: 2013-11-22 19:41:27 UTC
* 1.23wmf3 (e2e9b85) Scenario: + en.wikipedia.org as of 2013-11-20 + go to "Reset Password" page and trigger the I-forgot-my-passwort e-mail-password mail + come back to the login page + enter the temporary password + you are now correctly asked to change your password (=mandatory password change after login with temporary password) + after a successful password change you will see Bug: === page title after successful password change is (still): "Change Password" URL is: "https://en.wikipedia.org/w/index.php?title=Special:ChangePassword&returnto=&returntoquery=&fromhttp=1" with unsuited information on it: "You must be logged in to access this page directly." This is striclty reproducible.
perhaps the fix of https://bugzilla.wikimedia.org/show_bug.cgi?id=57065 solves this.
(In reply to comment #1) > perhaps the fix of https://bugzilla.wikimedia.org/show_bug.cgi?id=57065 > solves > this. ^wrong I meant: See https://bugzilla.wikimedia.org/show_bug.cgi?id=57098 SpecialPasswordReset when called does not obey an optional returnto parameter Perhaps the fix of 57098 also solves the present 57289.
Thanks for taking the time to report this! Confirming: - logged out - went to https://en.wikipedia.org/wiki/Special:PasswordReset - enter username - Get "A password reset email has been sent." - Check mail - Copy temp password - In browser, click "Log in" in upper corner which now links to https://en.wikipedia.org/w/index.php?title=Special:UserLogin&returnto=Special%3APasswordReset - Enter username and temp password - Get "Change password - You logged in with a temporary emailed code. To finish logging in, you must set a new password here:" Result: - "Change password - You must be logged in to access this page directly." Needed to log in once again. Meh.
> Needed to log in once again. Meh. just to say it very kindly again in case it has been overlooked: > __perhaps_(!)_ the fix of https://bugzilla.wikimedia.org/show_bug.cgi?id=57098 solves this, too.
Is this still happening? I'm not able to reproduce it. Just to confirm, * I enter my username and temp password, click login * I get the change password form. I'm not logged in. Old password is pre-filled. * I enter in a new password (twice), and click submit. * I'm taken back to Main_Page, and I'm logged in. Am I missing a step?
(In reply to comment #5) > Is this still happening? I'm not able to reproduce it. Just to confirm, > > * I enter my username and temp password, click login > * I get the change password form. I'm not logged in. Old password is > pre-filled. > * I enter in a new password (twice), and click submit. > * I'm taken back to Main_Page, and I'm logged in. > > Am I missing a step? Yes, certainly. I still can reproduce my findings as in the first comment, and as confirmed by André in https://bugzilla.wikimedia.org/show_bug.cgi?id=57289#c3 Please reproduce step-by-step: Scenario: + en.wikipedia.org as of 2013-11-22 + go to "Reset Password" page and trigger the I-forgot-my-passwort e-mail-password mail + come back to the login page + enter the temporary password + you are now correctly asked to change your password (=mandatory password change after login with temporary password) + after a successful password change you will see "Change Password" (=page title) "You must be logged in to access this page directly." URL is: "https://en.wikipedia.org/w/index.php?title=Special:ChangePassword&returnto=&returntoquery=&fromhttp=1" This is *strictly* reproducible. Raising severity to "major" because it relates to a password issue, which could point to critical bug.
screenshot of the page after successfully having entered the temp.password and 2x the new password: + http://i.imgur.com/IDNp8W4.png
Change 96970 had a related patch set uploaded by IAlex: Fix login with temporary password with $wgSecureLogin = true https://gerrit.wikimedia.org/r/96970
For the record, the cause of this bug is from Ia0a61e98fbff7 ( https://gerrit.wikimedia.org/r/93425), which introduced WebRequest::getProtocol as an instance method rather than the previous practice of always using WebRequest::detectProtocol, which is static.
Change 96994 had a related patch set uploaded by MarkAHershberger: Fix login with temporary password with $wgSecureLogin = true https://gerrit.wikimedia.org/r/96994
Change 96970 merged by MarkAHershberger: Fix login with temporary password with $wgSecureLogin = true https://gerrit.wikimedia.org/r/96970
Change 96994 merged by MarkAHershberger: Fix login with temporary password with $wgSecureLogin = true https://gerrit.wikimedia.org/r/96994
In www.mediawiki,org : Not solved After changing the password, see http://i.imgur.com/7ADHPHH.png URL: https://www.mediawiki.org/w/index.php?title=Special:ChangePassword&returnto=&returntoquery=&fromhttp=1 Problem is not solved, in my view.
That's because the fix has not been deployed yet. However, the actual bug in question has been resolved in master.
Tyler: okay. I understand this from a discussion in the chat some minutes ago. ty
