Thread:Project:Support desk/Protecting Sysop and Admin Email Password Reset/reply (3)

Hi!

You might be interested in the hooks Manual:Hooks/User::mailPasswordInternal and especially Manual:Hooks/SpecialPasswordResetOnSubmit.

Let me get the logic straight:
 * A user has forgotten his password (and so he is not logged in).
 * He now "pretends" to be one certain user (maybe he is, maybe he is not) and asks MediaWiki to send out a new-password-mail to this user's e mail address.

Problem with that is that you don't know, if this user actually maybe even is this admin (so that you want him to get the new password for the admin account). So I would say you cannot differentiate between "This user is an admin; he is allowed to trigger the "send-admin-an-e-mail"-function and between "This user is no admin, he is not allowed to do so".

So it all boils down to the IP range. In the hook SpecialPasswordResetOnSubmit you have access to "User objects" (for which users?). And you have the user data, which was sent by the requesting user.

The information at that point should enable you to get the user's IP address (see the functions in includes/User.php) and to check it against the range you want. Should the user be outside of that range, you can use &$error to give back an error code, otherwise you can let the hook go on. This would block any user from outside the defined range to request a password-reset-mail; that might be a good start for the problem.