Last modified: 2013-03-12 05:16:54 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T48010, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 46010 - Special:PasswordReset should tell if e-mail is not registered
Special:PasswordReset should tell if e-mail is not registered
Status: RESOLVED WONTFIX
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.21.x
All All
: Unprioritized normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-12 00:45 UTC by Juliusz Gonera
Modified: 2013-03-12 05:16 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Juliusz Gonera 2013-03-12 00:45:22 UTC 
No matter what e-mail you enter on Special:PasswordReset, you get this message:

"A reminder email has been sent."

The user then assumes that they have an account even if they don't (or if they registered with a different e-mail address). The reminder (or any other email) never arrives though and it just seems as if the web site was broken.
Comment 1 Matthew Flaschen 2013-03-12 05:16:54 UTC 
This is deliberate.  The code explicitly says:

"// Don't reveal whether or not an email address is in use"

https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes/specials/SpecialPasswordReset.php;h=90b0ac802cf11272be43a2b6c72631aca12b1023;hb=HEAD#l185

Many sites work like this (including on password reset screens).  Some sites don't reveal either the list of usernames or the list of emails.

On MW, the list of users is public (Special:ListUsers), but email addresses are private.  We should not make it possible for someone to check whether an email is registered.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links