Password reset

Revision as of 00:33, 31 December 2012

Sometimes an MW user loses access to their account and cannot login. They have a blank or incorrect email address and have forgotten their password.

The usual response to this situation is to ignore them or to allow some on-wiki user to claim that a password reset is impossible. We do this because changing a user's email address requires shell access, and the workload would quickly escalate beyond reasonable amounts if the service was advertised as something that can be completed via a Bugzilla shell request. The main portion of the work is in avoiding social engineering -- it's necessary to ensure that the email address requested has a legitimate claim to the user account in question.

Occasionally, the requester is someone who, due to long service with the project, has earned the right to ask for 5 minutes of sysadmin time in service of a personal request. The procedure is then as follows:

• Confirm that the email address in question legitimately belongs to the same person as the target account.
• mwscript eval.php --wiki=<user's main wiki>
• $user = User::newFromName('<name>');
• $user->setEmail('<email>');
• $user->setEmailAuthenticationTimestamp(wfTimestampNow());
• $user->saveSettings();
• In your browser, go to Special:PasswordReset on the user's main wiki.
• Type in the user's name and click "email new password".
• Ask requester to check their inbox to ensure that the password reset email was received.

On CentralAuth wikis, the eval.php script has the effect of updating the globaluser table (gu_email and gu_email_authenticated) and then clearing the relevant memcached key (XXwiki:user:id:NNNNNN).