#11422 closed defect (cantfix)
Reset password process is very rudimentary
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | general | Version: | |
Severity: | normal | Keywords: | password reset |
Cc: | Steffen Hoffmann, Ryan J Ollos | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
I would provide an example. I am trying to reset password on https://trac.torproject.org/projects/tor Firstly, there is no 'Reset Password' link anywhere there. Secondly, after I googled for this I found that URL might be like this: <…>/projects/tor/reset_password. But it asks me for both username and password, and I know both, and it still says it is a mismatch: "The email and username must match a known account." So I am left at the dead end: trac doesn't suggest to e-mail a link to the address associated with the account.
Trac should offer the 'Reset password' link. And also be able to e-mail the reset link to the address associated with an account.
I hit "forgot password" issue with many other sites, and so far Trac is one of the most difficult cases due to those issues.
Attachments (0)
Change History (10)
comment:1 by , 11 years ago
Cc: | added |
---|---|
Resolution: | → cantfix |
Status: | new → closed |
comment:2 by , 11 years ago
Replying to yuri@…:
I would provide an example. I am trying to reset password on https://trac.torproject.org/projects/tor Firstly, there is no 'Reset Password' link anywhere there. Secondly, after I googled for this I found that URL might be like this: <…>/projects/tor/reset_password. But it asks me for both username and password,
correction for reference: username + email
and I know both, and it still says it is a mismatch: "The email and username must match a known account."
This could be for several reasons. We don't even know the plugin version and used password stores as a starting point.
So I am left at the dead end: trac doesn't suggest to e-mail a link to the address associated with the account.
This has been asked in th:#10762, an I see the point.
Trac should offer the 'Reset password' link. And also be able to e-mail the reset link to the address associated with an account.
I hit "forgot password" issue with many other sites, and so far Trac is one of the most difficult cases due to those issues.
Sure, there is room for improvements. Currently (read: in a current plugin version) the link is available at the login form provided by the same plugin. But using HTTP auth this page will never get displayed. Where would you expect such a link then? Adding it to the metanav navigation next to "Register" would be cluttering it up quite a bit IMHO. But I invite you to come over to trac-hacks for more in-deep discussion, what is appreciated for sure.
Of course with a better solution it'll still be left to site admins to accept it and install the new plugin version.
comment:3 by , 11 years ago
Cc: | added |
---|
I have a few comments, but I'll add them to the reporter's post on the mailing list.
follow-up: 5 comment:4 by , 11 years ago
Registration/authentication on this problematic torproject site has one more relevant problem: To register one only provides login and password. No e-mail is asked at all. But in order to recover the password it asks for an e-mail (in that hidden/guessed link). This doesn't make sense and is obviously wrong.
I am reporting this here because the site admin just used the Trac distro from you, and the problem stems from some bug in Trac.
comment:5 by , 11 years ago
Replying to yuri@…:
I am reporting this here because the site admin just used the Trac distro from you, and the problem stems from some bug in Trac.
That could be a bug, or it could be a configuration issue. You should report the issue to the Tor site, and suggest they first upgrade to th:AccountManagerPlugin 0.4.3, and then get in contact with Steffen through the MailingList or by opening a ticket at th:AccountManagerPlugin if they continue to have issues. It is challenging to help you when we don't know the site configuration, or even the version of the plugin that is installed. As mentioned, it is not an issue with Trac, but rather the th:AccountManagerPlugin, so we shouldn't discuss it any further here.
follow-up: 7 comment:6 by , 10 years ago
I really don't understand why this bug report is closed.
I just came across the page http://bugs.icu-project.org/trac that doesn't have 'register' link at all.
Are you denying that this is Trac problem that so many installations suffer from this problem?
Please reopen this case and fix the problem.
comment:7 by , 10 years ago
Replying to anonymous:
I just came across the page http://bugs.icu-project.org/trac that doesn't have 'register' link at all.
As stated in comment:1, registration is provided by the th:AccountManagerPlugin. To enable registration on bugs.icu-project.org they would need to:
- Install th:AccountManagerPlugin if not installed
- Enable RegistrationModule.
They should also upgrade their Trac instance to the latest, but that's another matter.
But it's possible they don't want to allow users to register. That is their choice and we have no control over that.
comment:8 by , 10 years ago
That page has the link "login (not required for tickets)".
Normally, "login" implies that one can register. If there is no registration plugin, and no registration is possible, Trac should print the notice "No registration is available to public" to avoid confusion. Or remove the "login" link altogether, and just say "No login is required to create a ticket".
Otherwise behavior of Trac isn't consistent, and causes such questions.
comment:9 by , 10 years ago
The http://bugs.icu-project.org/trac site has customized the text of that link. By default Trac just says login
. I suggest you relay those configuration suggestions to the http://bugs.icu-project.org/trac team. Trac has no knowledge about registration. That is handled by th:AccountManagerPlugin.
comment:10 by , 10 years ago
Putting "login" link without the corresponding "register" link is also wrong.
The thing is, once you provide the software, it should enforce/recommend/encourage/check-n-warn the valid configuration. And it doesn't because there are many sites with this same problem.
I can't be communicating anything to anybody, because this isn't right that I even have to. Such bug reporting sites should just work, and be super easy and intuitive. This isn't right to chase users and communicate something to them.
PluginIssue. The password reset functionality is provided by the th:AccountManagerPlugin.
In fact, I was investigating similar issues with trac-hacks.org earlier today, with the aim of improving the password reset functionality. There is likely room for improvement, but the changes need to occur in th:AccountManagerPlugin. The best course of action is to raise the issue on the MailingList and we can determine if the tor site has a configuration issue, or if there is a defect in the th:AccountManagerPlugin.