https://bugzilla.wikimedia.org/show_bug.cgi?id=29135
--- Comment #6 from T. Gries <[email protected]> 2011-05-30 07:32:38 UTC --- Hello, because I do not feel yet competent enough to change the code in such a sensitive area like login and password issues: can someone of you (experts) please look into the following change request, and apply a fix for it ? The following is an aggregated summary. * Problem to be solved: User A can trigger a password-mail to other user B by accessing (simply by accessing Special:PasswordReset and inputting username B into the field) When logged-in users visit Special:PasswordReset, they see an _emtpy_ input field for entering a username. The _empty_ field does not make sense, because: Logged-in users should - except in special cases like members of a new group - $wgGroupPermissions["sysop"]["isallowed-to-reset-other-user-password"] = true; not be allowed to trigger reset password of a different user. * Change requests (A), (B) in Special:PasswordReset * (A) - if "user", then PaswortReset should - disallow typing of arbitrary usernames - populate the Username field with the current users' username - this field set readonly=readonly - the onSubmit callback must sanitize the return and check wether the correct and only allowed current users' username comes back - no password throttle if user resets the own password by mail: (skip check against password throttle if user resets the own password.) -> then mailing the temporary password to user(username) * (B) I also need (for OpenID) a clean way of internally sending directly a temporary password (not: e-mail confirmation, this is already implemented) to logged-in user (without the form). Such a function could be re-used by change request (A) method. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
