Page MenuHomePhabricator

When users have no password on their account, guide them through the "reset password" flow in the guise of "set password"
ClosedPublic

Authored by epriestley on Feb 7 2019, 3:25 AM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Mar 26, 1:02 PM
Unknown Object (File)
Sun, Mar 17, 2:37 PM
Unknown Object (File)
Feb 16 2024, 5:58 PM
Unknown Object (File)
Jan 19 2024, 5:37 PM
Unknown Object (File)
Jan 15 2024, 5:04 PM
Unknown Object (File)
Jan 12 2024, 12:41 AM
Unknown Object (File)
Jan 9 2024, 9:02 AM
Unknown Object (File)
Jan 7 2024, 4:12 PM
Subscribers

Details

Summary

Depends on D20119. Fixes T9512. When you don't have a password on your account, the "Password" panel in Settings is non-obviously useless: you can't provide an old password, so you can't change your password.

The correct remedy is to "Forgot password?" and go through the password reset flow. However, we don't guide you to this and it isn't really self-evident.

Instead:

  • Guide users to the password reset flow.
  • Make it work when you're already logged in.
  • Skin it as a "set password" flow.

We're still requiring you to prove you own the email associated with your account. This is a pretty weak requirement, but maybe stops attackers who use the computer at the library after you do in some bizarre emergency and forget to log out? It would probably be fine to just let users "set password", this mostly just keeps us from having two different pieces of code responsible for setting passwords.

Test Plan
  • Set password as a logged-in user.
  • Reset password on the normal flow as a logged-out user.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable