Page MenuHomePhabricator

When users have no password on their account, guide them through the "reset password" flow in the guise of "set password"
ClosedPublic

Authored by epriestley on Feb 7 2019, 3:25 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Jun 29, 1:58 AM
Unknown Object (File)
Wed, Jun 22, 4:28 AM
Unknown Object (File)
Mon, Jun 20, 2:49 AM
Unknown Object (File)
Sat, Jun 18, 2:41 PM
Unknown Object (File)
Fri, Jun 10, 8:47 AM
Unknown Object (File)
Mon, Jun 6, 12:53 AM
Unknown Object (File)
Fri, Jun 3, 7:58 PM
Subscribers

Details

Summary

Depends on D20119. Fixes T9512. When you don't have a password on your account, the "Password" panel in Settings is non-obviously useless: you can't provide an old password, so you can't change your password.

The correct remedy is to "Forgot password?" and go through the password reset flow. However, we don't guide you to this and it isn't really self-evident.

Instead:

  • Guide users to the password reset flow.
  • Make it work when you're already logged in.
  • Skin it as a "set password" flow.

We're still requiring you to prove you own the email associated with your account. This is a pretty weak requirement, but maybe stops attackers who use the computer at the library after you do in some bizarre emergency and forget to log out? It would probably be fine to just let users "set password", this mostly just keeps us from having two different pieces of code responsible for setting passwords.

Test Plan
  • Set password as a logged-in user.
  • Reset password on the normal flow as a logged-out user.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable