API resetpassword should allow user and email use together
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

send a post request to https://zh.wikipedia.org/w/api.php with params:
- action: resetpassword
- format: json
- user: Example
- email: user@example.com
- token: <token>

What happens?:

{
    "error": {
        "code": "invalidparammix",
        "info": "The parameters \"user\" and \"email\" can not be used together.",
        "docref": "See https://zh.wikipedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at &lt;https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/&gt; for notice of API deprecations and breaking changes."
    },
    "servedby": "[redacted]"
}

What should have happened instead?:
Because of EPR, some accounts require both username and email to request a password reset. The API should allow user and email use together.

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
ApiResetPassword: Allow both user and email parameters to be passed for reset	mediawiki/core	REL1_40	+5 -2
ApiResetPassword: Allow both user and email parameters to be passed for reset	mediawiki/core	REL1_41	+5 -2
ApiResetPassword: Allow both user and email parameters to be passed for reset	mediawiki/core	REL1_39	+5 -2
ApiResetPassword: Allow both user and email parameters to be passed for reset	mediawiki/core	master	+5 -2

Customize query in gerrit

Related Objects

Mentioned Here: rMW54d58ef50665: API changes for AuthManager

Event Timeline

SunAfterRain created this task.Dec 13 2023, 6:22 AM

Restricted Application added subscribers: Stang, Aklapper. · View Herald TranscriptDec 13 2023, 6:22 AM

Ammarpad added a project: MediaWiki-Action-API.Dec 13 2023, 6:45 AM

SunAfterRain updated the task description. (Show Details)Dec 13 2023, 6:46 AM

SCP-2000 subscribed.Dec 13 2023, 6:48 AM

SunAfterRain updated the task description. (Show Details)Dec 13 2023, 6:49 AM

This should have been part of Community-Tech's work on Password-Reset-Update.

Restricted Application added a project: Community-Tech. · View Herald TranscriptDec 13 2023, 7:09 AM

TheresNoTime subscribed.Jan 24 2024, 2:42 PM

@dmaza is password reset something that CommTech continues to own? I don't see it in our maintenance page. https://meta.wikimedia.org/wiki/Community_Tech/Maintenance

dmaza moved this task from New & TBD Tickets to Needs Discussion on the Community-Tech board.Feb 15 2024, 6:37 PM

@JTannerWMF does your team use the API resetpassword feature? It looks like it's broken and want to make sure this ticket is a one-off.

• JWheeler-WMF moved this task from Needs Discussion to Freezer on the Community-Tech board.Feb 15 2024, 6:48 PM

Reedy updated the task description. (Show Details)Feb 15 2024, 6:49 PM

This seems to have always been the case since it's implementation in rMW54d58ef50665: API changes for AuthManager.

Though, it's possible this restriction just wasn't removed from the API endpoint (but was from the UI, if it existed) when Password-Reset-Update stuff happened.

Change 1003815 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@master] ApiResetPassword: Allow user and email parameters for reset

https://gerrit.wikimedia.org/r/1003815

gerritbot added a project: Patch-For-Review.Feb 15 2024, 6:53 PM

Reedy triaged this task as Low priority.Feb 15 2024, 7:11 PM

Change 1003815 merged by jenkins-bot:

[mediawiki/core@master] ApiResetPassword: Allow both user and email parameters to be passed for reset

https://gerrit.wikimedia.org/r/1003815

Maintenance_bot removed a project: Patch-For-Review.Feb 20 2024, 2:30 AM

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.20; 2024-02-27).Feb 22 2024, 10:02 AM

Reedy moved this task from Backlog to Done on the Password-Reset-Update board.Feb 28 2024, 5:06 PM

Change 1007367 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_41] ApiResetPassword: Allow both user and email parameters to be passed for reset

https://gerrit.wikimedia.org/r/1007367

Change 1007368 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_40] ApiResetPassword: Allow both user and email parameters to be passed for reset

https://gerrit.wikimedia.org/r/1007368

Change 1007369 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_39] ApiResetPassword: Allow both user and email parameters to be passed for reset

https://gerrit.wikimedia.org/r/1007369

Change 1007369 merged by jenkins-bot:

[mediawiki/core@REL1_39] ApiResetPassword: Allow both user and email parameters to be passed for reset

https://gerrit.wikimedia.org/r/1007369

Change 1007368 merged by jenkins-bot:

[mediawiki/core@REL1_40] ApiResetPassword: Allow both user and email parameters to be passed for reset

https://gerrit.wikimedia.org/r/1007368

Change 1007367 merged by jenkins-bot:

[mediawiki/core@REL1_41] ApiResetPassword: Allow both user and email parameters to be passed for reset

https://gerrit.wikimedia.org/r/1007367

Maintenance_bot removed a project: Patch-For-Review.Feb 29 2024, 6:31 PM

ReleaseTaggerBot added projects: MW-1.40-notes, MW-1.39-notes, MW-1.41-notes.Feb 29 2024, 8:00 PM

Umherirrender closed this task as Resolved.Mar 15 2024, 11:10 PM

Umherirrender assigned this task to Reedy.

Stang unsubscribed.Oct 24 2024, 3:44 AM

API resetpassword should allow user and email use togetherClosed, ResolvedPublicBUG REPORTActions

Description

Details

Related Objects

Event Timeline

API resetpassword should allow user and email use together
Closed, ResolvedPublicBUG REPORT
Actions