Create Task
Maniphest T231495

Password Reset: Add Preference for Password Reset Behind Feature Flag
Closed, ResolvedPublic3 Estimated Story Points
Actions

Description

As a Wikimedia user, I want to be able to enable the password reset update (i.e. username and email address required) in Preferences, so that I can mitigate harassment or mistaken identity via Special:PasswordReset.

Note: We don't know yet know if this preference will be opt-in or opt-out as default. For this reason, this work should be developed in such a way that we can later determine this behavior.

Acceptance Criteria:

  • Create a feature flag
  • Add a preference that controls whether both username and email address are required for password reset
  • Only show this preference if feature flag is enabled

Details

SubjectRepoBranchLines +/-
Add a preference to require email for password resetsmediawiki/coremaster+25 -0
Customize query in gerrit

Related Objects

Event Timeline

ifried created this task.Aug 28 2019, 8:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 28 2019, 8:52 PM
ifried updated the task description. (Show Details)Aug 28 2019, 8:53 PM
ifried updated the task description. (Show Details)Aug 28 2019, 8:58 PM
ifried updated the task description. (Show Details)Aug 29 2019, 4:20 PM
ifried updated the task description. (Show Details)Aug 29 2019, 4:22 PM
ifried updated the task description. (Show Details)
MusikAnimal updated the task description. (Show Details)Aug 29 2019, 5:30 PM
aezell subscribed.Aug 29 2019, 5:30 PM
ifried set the point value for this task to 3.Aug 29 2019, 5:50 PM
ifried moved this task from Needs Discussion to Up Next (June 3-21) on the Community-Tech board.Aug 29 2019, 5:53 PM
ifried moved this task from Up Next (June 3-21) to Kanban (Q1 2019-20) on the Community-Tech board.Aug 29 2019, 6:03 PM
ifried edited projects, added Community-Tech (Kanban (Q1 2019-20)); removed Community-Tech.
MaxSem claimed this task.Sep 4 2019, 8:14 PM
MaxSem moved this task from Ready to In Development on the Community-Tech (Kanban (Q1 2019-20)) board.
gerritbot added a comment.Sep 5 2019, 1:13 AM

Change 534552 had a related patch set uploaded (by MaxSem; owner: MaxSem):
[mediawiki/core@master] Add a preference to require email for password resets

https://gerrit.wikimedia.org/r/534552

gerritbot added a project: Patch-For-Review.Sep 5 2019, 1:13 AM
MaxSem moved this task from In Development to Needs Review/Feedback on the Community-Tech (Kanban (Q1 2019-20)) board.Sep 5 2019, 1:14 AM

Ready for review.

gerritbot added a comment.Sep 10 2019, 8:41 AM

Change 534552 merged by jenkins-bot:
[mediawiki/core@master] Add a preference to require email for password resets

https://gerrit.wikimedia.org/r/534552

ReleaseTaggerBot added a project: MW-1.34-notes (1.34.0-wmf.22; 2019-09-10).Sep 10 2019, 9:00 AM
Maintenance_bot removed a project: Patch-For-Review.Sep 10 2019, 9:10 AM
MaxSem moved this task from Needs Review/Feedback to Product sign-off on the Community-Tech (Kanban (Q1 2019-20)) board.Sep 10 2019, 9:09 PM

Nothing to QA.

ifried closed this task as Resolved.Sep 10 2019, 10:53 PM
ifried moved this task from Product sign-off to Done on the Community-Tech (Kanban (Q1 2019-20)) board.

Since there is nothing to QA, I'm marking this work as Done.

Reedy subscribed.Sep 11 2019, 5:26 PM

Is there a task for following the rest of the work for this? Because while the preference is obviously done, the task for the work to actually implement it looks AWOL (or on some workboard I've not looked at ;))

T145952: Reduce password reset spam is kinda an overall task, but want to make sure my comment doesn't get lost (let me know if you want a separate ticket)

In T145952#5442469, @Reedy wrote:

I note when someone is implementing this... under T230436 and by Community-Tech

Logging should be put in place so we can see the state of things (ip/user X requested reset for Y etc)... And we should be putting in a rate limiter to prevent one user/ip doing a loooad of requests

Both should be relatively easy to do while working in the area

ifried added a comment.Sep 11 2019, 6:53 PM

@Reedy This is just one ticket within a larger project. The overall project itself is definitely not done.

As for the next task, we may tackle this ticket next: T232512: Inform Users of Preference on Special:PasswordReset

This reminds me: I should create a label/tag for this project, so our progress is easy to track in Phabricator. As a Phabricator newbie, I'm not sure how to create the tag, but I'll figure it out today :)

Reedy added a comment.Sep 11 2019, 7:26 PM

https://www.mediawiki.org/wiki/Phabricator/Creating_and_renaming_projects Should get you started :)

ifried added a comment.Sep 11 2019, 8:08 PM

@Reedy Thank you! I have written the request ticket for the project tag: T232667

Once the tag is up, I'll let you know.

Samwilson added a project: Password-Reset-Update.Sep 11 2019, 10:00 PM
ifried added a comment.EditedSep 11 2019, 11:34 PM

@Reedy The tasks are now tagged as Password-Reset-Update. Thanks!

Samwilson mentioned this in T231583: Design: Determine UX for Enabling/Disabling Password Reset Update via Preferences.Sep 16 2019, 7:41 AM
ifried mentioned this in T234537: Password Reset: Update PRU Language in Preferences [x-small].Oct 10 2019, 4:06 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits