Last modified: 2013-11-30 18:03:43 UTC
This problem happens only when using the temporary password (password sent in PasswordReset mail). E:OpenID as consumer: ChangePassword page is shown twice when attaching an OpenID to an existing account using the _temporary_ password. The data filled in the first ChangePassword page is totally ignored (for example, the new password values are not checked for equality). The second ChangePassword is treated correctly and action ends successful when entering the temporary password and 2x the new passord, as it should be.
I added you, because I need your help to find the "last" bug in E:OpenID.
Look for function attachUser() in SpecialOpenIDLogin.body.php . For example look to https://git.wikimedia.org/blob/mediawiki%2Fextensions%2FOpenID/a4471ef088c5f3b7627126470ae2debc511f4865/SpecialOpenIDLogin.body.php#L909 Can someone spot what's wrong there. You also need the patch of core SpecialChangePassword https://gerrit.wikimedia.org/r/#/c/96651/ , otherwise SpecialChangePassword does not know that you were using the Temporary password, and want that dialog (text: 'Temporary password' instead of text 'Old password' on the Change Password page).
I found (and fixed locally in my test installations) this bug. Solution was: adding an additional check of the pre-login csrf token (which is injected in SpecialOpenIDLogin/ChooseName in SpecialChangePassword::execute(). So my patch changes that SpecialChangePassword (now) requires either the valid $wgUser( editToken) _or_ a valid preLogin-Token. (Chris: you were correct! I could not find back the tip you've sent me, otherwsie I would have added a pointer here.) A formal patch will follow.