[Bug 59736] password reset mail should have a cancel this link
https://bugzilla.wikimedia.org/show_bug.cgi?id=59736 --- Comment #5 from Gerrit Notification Bot gerritad...@wikimedia.org --- Change 147496 had a related patch set uploaded by Rohan013: Add cancel this link to password reset emails https://gerrit.wikimedia.org/r/147496 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 59736] password reset mail should have a cancel this link
https://bugzilla.wikimedia.org/show_bug.cgi?id=59736 Gerrit Notification Bot gerritad...@wikimedia.org changed: What|Removed |Added Status|ASSIGNED|PATCH_TO_REVIEW -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 59736] password reset mail should have a cancel this link
https://bugzilla.wikimedia.org/show_bug.cgi?id=59736 Rohan Rawat rohan1...@yahoo.com changed: What|Removed |Added Status|NEW |ASSIGNED CC||rohan1...@yahoo.com Assignee|wikibugs-l@lists.wikimedia. |rohan1...@yahoo.com |org | -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 59736] password reset mail should have a cancel this link
https://bugzilla.wikimedia.org/show_bug.cgi?id=59736 Sam Reed (reedy) s...@reedyboy.net changed: What|Removed |Added Priority|Unprioritized |High Summary|password reminder should|password reset mail should |have a cancel this link |have a cancel this link --- Comment #1 from Sam Reed (reedy) s...@reedyboy.net --- Noting we already have this sort of thing on our email confirmation process. (In reply to comment #0) Didn't request this change? If you didn't request a new password, let us know immediately [LINK]. Key to note: the let us know immediately doesn't actually have to *do* anything; it still reassures people just by existing. (I'm bringing this up because one of our outside counsels forwarded me an email and asked what should I do?; having a link like this would have reassured him.) Shouldn't it at least invalidate the temporary password sent? Seems a bit silly not to This should be fairly easy to implement... -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 59736] password reset mail should have a cancel this link
https://bugzilla.wikimedia.org/show_bug.cgi?id=59736 --- Comment #2 from Luis Villa (WMF Legal) lvi...@wikimedia.org --- All sorts of things it could do (invalidate password, record the IP to see if we should block an IP temporarily from password resets, etc.) But I leave that up to the implementation :) -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 59736] password reset mail should have a cancel this link
https://bugzilla.wikimedia.org/show_bug.cgi?id=59736
--- Comment #3 from Sam Reed (reedy) s...@reedyboy.net ---
For reference if someone not so familiar with MediaWiki wants to take this on..
For email confirmation we use the message 'confirmemail_body', which has the
text below.
'Someone, probably you, from IP address $1,
has registered an account $2 with this email address on {{SITENAME}}.
To confirm that this account really does belong to you and activate
email features on {{SITENAME}}, open this link in your browser:
$3
If you did *not* register the account, follow this link
to cancel the email address confirmation:
$5
This confirmation code will expire at $4.',
Versus for password reset 'passwordremindertext' we have
'Someone (probably you, from IP address $1) requested a new
password for {{SITENAME}} ($4). A temporary password for user
$2 has been created and was set to $3. If this was your
intent, you will need to log in and choose a new password now.
Your temporary password will expire in {{PLURAL:$5|one day|$5 days}}.
If someone else made this request, or if you have remembered your password,
and you no longer wish to change it, you may ignore this message and
continue using your old password.',
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 59736] password reset mail should have a cancel this link
https://bugzilla.wikimedia.org/show_bug.cgi?id=59736 --- Comment #4 from Steven Walling swall...@wikimedia.org --- (In reply to comment #0) When someone gets a password reset email from us these days, it does not contain an if you did not request this password reset, click here to cancel. This sort of language is becoming pretty standard; Facebook says Didn't request this change? If you didn't request a new password, let us know immediately [LINK]. Key to note: the let us know immediately doesn't actually have to *do* anything; it still reassures people just by existing. (I'm bringing this up because one of our outside counsels forwarded me an email and asked what should I do?; having a link like this would have reassured him.) Actually I think it's not okay to mislead the user like that. If we include a cancel link, it should either: A) invalidate the temporary password sent B) set a flag on the account or otherwise actually report the issue to someone who can help the user ensure their account is secure We don't have a cancel link currently because, just like on the actual form, we don't actually require the user to take action to not reset their password. The password reset email doesn't actually reset your password, it just provides you the ability to do so if you want. If you don't want, you can ignore the email and keep using your old password. If users are confused, I would suggest clarifying language that says what they should do if they don't want to reset their password. Is there something already in there along these lines? -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
