-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've introduced new handling for e-mailed password resets in r18288.
Previously, the random password generated at e-mail time was allowed to
be used transparently for regular logins. Both the previous and the
generated passwords would continue to be valid for logins until a new
password was manually set at Special:Preferences.
Now, use of the temporary password at Special:Userlogin will instead
shunt over to a password-change form (via the new special-purpose
Special:Resetpass).
So:
* The only thing you can do with an e-mailed password now is choose a
new password
* Once you've changed your password, both the previous password and the
e-mailed temporary password are no longer valid for anything
This should discourage people from using the e-mailed passwords
permanently, and make password resets safer (since the old password will
definitely no longer be valid once the person has logged in with the
new one).
Internally, User::setPassword() now does some validity checking, talks
to $wgAuth directly, and throws PasswordError exceptions for failure
cases. These can be caught for error reporting in the user interface.
User::checkPassword() no longer returns true for the temporary password;
use the separate User::checkTemporaryPassword() to check for a match there.
LoginForm::authenticateUserData() returns a new error code for this
case; the bot API may or may not need to be updated.
- -- brion vibber (brion @
pobox.com / brion @
wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iD8DBQFFfjBLwRnhpk1wk44RAlQCAJ40AB8wmeasyP5bx1X9KGWup/rT6wCfeTpC
WVU/FJQ68E8sC725EyEEcFc=
=Ufdp
-----END PGP SIGNATURE-----