Last modified: 2013-11-30 18:03:43 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T59579, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 57579 - E:OpenID as consumer: ChangePassword page is shown twice when attaching an OpenID to an existing account using the _temporary_ password
E:OpenID as consumer: ChangePassword page is shown twice when attaching an Op...
Status: ASSIGNED
Product: MediaWiki extensions
Classification: Unclassified
OpenID (Other open bugs)
master
All All
: Normal normal (vote)
: ---
Assigned To: T. Gries
:
Depends on: 57731
Blocks: 9604
  Show dependency treegraph
 
Reported: 2013-11-26 08:56 UTC by T. Gries
Modified: 2013-11-30 18:03 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description T. Gries 2013-11-26 08:56:01 UTC

    
Comment 1 T. Gries 2013-11-26 08:59:56 UTC
This problem happens only when using the temporary password (password sent in PasswordReset mail).

E:OpenID as consumer: ChangePassword page is shown twice when attaching an OpenID to an existing account using the _temporary_ password.

The data filled in the first ChangePassword page is totally ignored (for example, the new password values are not checked for equality).

The second ChangePassword is treated correctly and action ends successful when entering the temporary password and 2x the new passord, as it should be.
Comment 2 T. Gries 2013-11-26 21:39:40 UTC
I added you, because I need your help to find the "last" bug in E:OpenID.
Comment 3 T. Gries 2013-11-27 08:11:52 UTC
Look for function attachUser() in SpecialOpenIDLogin.body.php .

For example look to https://git.wikimedia.org/blob/mediawiki%2Fextensions%2FOpenID/a4471ef088c5f3b7627126470ae2debc511f4865/SpecialOpenIDLogin.body.php#L909

Can someone spot what's wrong there.

You also need the patch of core SpecialChangePassword https://gerrit.wikimedia.org/r/#/c/96651/ , otherwise SpecialChangePassword does not know that you were using the Temporary password, and want that dialog (text: 'Temporary password' instead of text 'Old password' on the Change Password page).
Comment 4 T. Gries 2013-11-30 18:03:43 UTC
I found (and fixed locally in my test installations) this bug.

Solution was:

adding an additional check of the pre-login csrf token (which is injected in SpecialOpenIDLogin/ChooseName in SpecialChangePassword::execute(). 

So my patch changes that SpecialChangePassword (now) requires either the valid $wgUser( editToken) _or_ a valid preLogin-Token.

(Chris: you were correct! I could not find back the tip you've sent me, otherwsie I would have added a pointer here.)

A formal patch will follow.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links