Include throttle message in password reset success

Update password reset success message to include throttle message.

Bug: T249730
Change-Id: Ia247034ec9a93689218c619d391a666c6b92991a

includes/user/PasswordReset.php

@@ -212,6 +212,12 @@ class PasswordReset implements LoggerAwareInterface {
 			return StatusValue::newFatal( Message::newFromSpecifier( $error ) );
 		}
 
+		// Check against the rate limiter. If the $wgRateLimit is reached, we want to pretend
+		// that the request was good to avoid displaying an error message.
+		if ( $performingUser->pingLimiter( 'mailpassword' ) ) {
+			return StatusValue::newGood();
+		}
+
 		// Get the first element in $users by using `reset` function just in case $users is changed
 		// in 'SpecialPasswordResetOnSubmit' hook.
 		$firstUser = reset( $users ) ?? null;
@@ -231,11 +237,6 @@ class PasswordReset implements LoggerAwareInterface {
 			}
 		}
 
-		// Check against the rate limiter
-		if ( $performingUser->pingLimiter( 'mailpassword' ) ) {
-			return StatusValue::newFatal( 'actionthrottledtext' );
-		}
-
 		if ( !$users ) {
 			if ( $method === 'email' ) {
 				// Don't reveal whether or not an email address is in use
@@ -288,7 +289,7 @@ class PasswordReset implements LoggerAwareInterface {
 
 			$status = $this->authManager->allowsAuthenticationDataChange( $req, true );
 			// If status is good and the value is 'throttled-mailpassword', we want to pretend
-			// that the request was a good to avoid displaying an error message and disclose
+			// that the request was good to avoid displaying an error message and disclose
 			// if a reset password was previously sent.
 			if ( $status->isGood() && $status->getValue() === 'throttled-mailpassword' ) {
 				return StatusValue::newGood();

languages/i18n/en.json

@@ -607,7 +607,7 @@
 	"passwordreset-emailtext-user": "User $1 on {{SITENAME}} requested a reset of your password for {{SITENAME}}\n($4). The following user {{PLURAL:$3|account is|accounts are}} associated with this email address:\n\n$2\n\n{{PLURAL:$3|This temporary password|These temporary passwords}} will expire in {{PLURAL:$5|one day|$5 days}}.\nYou should log in and choose a new password now. If someone else made this\nrequest, or if you have remembered your original password, and you no longer\nwish to change it, you may ignore this message and continue using your old\npassword.",
 	"passwordreset-emailelement": "Username:\n$1\n\nTemporary password:\n$2",
 	"passwordreset-success": "You have a requested a password reset.",
-	"passwordreset-success-details-generic": "If the information submitted is valid, a password reset email will be sent. If you haven't received an email, we recommend that you visit the [[mw:Special:MyLanguage/Help:Reset_password|reset password help page]]. Note that <strong>only one password reset email will be sent per valid account every {{PLURAL:$1|hour|$1 hours}}</strong> in order to prevent abuse.",
+	"passwordreset-success-details-generic": "If the information submitted is valid, a password reset email will be sent. If you haven't received an email, we recommend that you visit the [[mw:Special:MyLanguage/Help:Reset_password|reset password help page]] or try again later. You can only <strong>request a limited number of password resets within a short period of time. Only one password reset email will be sent per valid account every {{PLURAL:$1|hour|$1 hours}}</strong> in order to prevent abuse.",
 	"passwordreset-success-info": "The details you submitted are: $1",
 	"passwordreset-emailtext-require-email": "However, if you did not generate this request and want to prevent unsolicited\nemails, you may want to update your email options at\n$1.\nYou can require both username and email address to generate password reset\nemails. This may reduce the number of such incidents.",
 	"passwordreset-nocaller": "A caller must be provided",

tests/phpunit/includes/user/PasswordResetTest.php

@@ -327,36 +327,46 @@ class PasswordResetTest extends MediaWikiTestCase {
 				'email' => self::VALID_EMAIL,
 				'usersWithEmail' => [],
 			],
-			'Email required for resets but is empty, pretend everything is OK' => [
+			'Throttled, pretend everything is ok' => [
+				'expectedError' => false,
+				'config' => $defaultConfig,
+				'performingUser' => $throttledUser,
+				'permissionManager' => $permissionManager,
+				'authManager' => $this->makeAuthManager(),
+				'username' => 'User1',
+				'email' => '',
+				'usersWithEmail' => [],
+			],
+			'Throttled, email required for resets, is invalid, pretend everything is ok' => [
 				'expectedError' => false,
 				'config' => $emailRequiredConfig,
 				'performingUser' => $throttledUser,
 				'permissionManager' => $permissionManager,
 				'authManager' => $this->makeAuthManager(),
 				'username' => 'User1',
+				'email' => '[invalid email]',
+				'usersWithEmail' => [],
+			],
+			'Email required for resets but is empty, pretend everything is OK' => [
+				'expectedError' => false,
+				'config' => $emailRequiredConfig,
+				'performingUser' => $performingUser,
+				'permissionManager' => $permissionManager,
+				'authManager' => $this->makeAuthManager(),
+				'username' => 'User1',
 				'email' => '',
 				'usersWithEmail' => [],
 			],
 			'Email required for resets, is invalid' => [
 				'expectedError' => 'passwordreset-invalidemail',
 				'config' => $emailRequiredConfig,
-				'performingUser' => $throttledUser,
+				'performingUser' => $performingUser,
 				'permissionManager' => $permissionManager,
 				'authManager' => $this->makeAuthManager(),
 				'username' => 'User1',
 				'email' => '[invalid email]',
 				'usersWithEmail' => [],
 			],
-			'Throttled' => [
-				'expectedError' => 'actionthrottledtext',
-				'config' => $defaultConfig,
-				'performingUser' => $throttledUser,
-				'permissionManager' => $permissionManager,
-				'authManager' => $this->makeAuthManager(),
-				'username' => 'User1',
-				'email' => '',
-				'usersWithEmail' => [],
-			],
 			'Password email already sent within 24 hours, pretend everything is ok' => [
 				'expectedError' => false,
 				'config' => $defaultConfig,