Last modified: 2014-09-23 23:52:45 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T26464, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 24464 - Execute LoginAuthenticateAudit hook more often
Execute LoginAuthenticateAudit hook more often
Status: NEW
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
unspecified
All All
: Low enhancement (vote)
: ---
Assigned To: Tyler Romeo
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-20 20:39 UTC by Michael Newton
Modified: 2014-09-23 23:52 UTC (History)
9 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
more judicious use of LoginAuthenticateAudit hooks (1.34 KB, patch)
2010-07-20 20:39 UTC, Michael Newton 		Details
updated patch for 1.17.0 (2.20 KB, patch)
2011-11-14 19:23 UTC, Michael Newton 		Details
patch against trunk (462 bytes, patch)
2012-02-09 01:10 UTC, Michael Newton 		Details
Show Obsolete (2) Add an attachment (proposed patch, testcase, etc.)

Description Michael Newton 2010-07-20 20:39:47 UTC 
Created attachment 7578 [details]
more judicious use of LoginAuthenticateAudit hooks

We wanted to create a log of hack attempts on our wiki but hooking in to LoginAuthenticateAudit only captures login attempts from valid users. Could the hook be added anywhere the authenticateUserData function returns? Attached is the solution we ended up using against version 1.15.3.
Comment 1 p858snake 2011-04-30 00:09:19 UTC 
*Bulk BZ Change: +Patch to open bugs with patches attached that are missing the keyword*
Comment 2 Sumana Harihareswara 2011-11-10 06:07:25 UTC 
Thanks for the patch, Michael, and sorry for the wait!  Signalling that this patch needs review by adding the "need-review" keyword.
Comment 3 Michael Newton 2011-11-14 19:23:46 UTC 
Created attachment 9446 [details]
updated patch for 1.17.0
Comment 4 Mark A. Hershberger 2011-11-16 22:26:48 UTC 
Next time, please try to use the code from subversion so we can apply it more easily r103396
Comment 5 Bawolff (Brian Wolff) 2011-11-16 23:59:51 UTC 
Hi. I reverted this because it called the hook with the argument $u in places before $u is defined (Which broke unit tests). For example when we check if the user didn't enter a name, we don't have a user object yet.

Probably way forward would be to create a new hook to audit situations where the login was rejected out of hand for the user being 'stupid'.

Cheers.
Comment 6 Chad H. 2012-02-06 22:46:14 UTC 
This was re-applied in r103467 & r106446 but wasn't marked FIXED. I've reverted it (again) in r110797, so REOPENED is appropriate.
Comment 7 Michael Newton 2012-02-09 01:10:26 UTC 
Created attachment 9973 [details]
patch against trunk

I'll submit one more, very stripped down, try at this. Previous patch was blindly calling the hook every time authenticateUserData returned which was obviously overkill.
This should allow logging of failed login attempts with invalid user names.
Comment 8 Sumana Harihareswara 2012-02-13 04:41:23 UTC 
Michael, thanks for the new patch.  I have changed the "reviewed" keyword to "need-review" to indicate that the new patch has not yet been reviewed and awaits critique and/or acceptance.
Comment 9 Sumana Harihareswara 2012-07-20 18:58:56 UTC 
Brion, could I ask you to look at this?
Comment 10 Tyler Romeo 2012-12-09 17:33:18 UTC 
The patch in its current form is not OK. The hook in its current state is documented as passing a User object. If, by chance, there's an extension that decided to use type hinting on the hook call, this would cause errors in those cases. Also, it's just bad design.

However, it is a good idea to be calling this hook all the time, so I'll try and think of a proper solution when I get back from lunch.
Comment 11 Tyler Romeo 2012-12-10 04:54:54 UTC 
https://gerrit.wikimedia.org/r/37788

This restructures User::authenticateUserData so that it always reaches the end of the function. Also, it guarantees that a User object is always passed to the hook.
Comment 12 Gerrit Notification Bot 2013-05-18 18:25:08 UTC 
https://gerrit.wikimedia.org/r/37788 (Gerrit Change I316bbacf4d9fa5558c63fb09e8d0aef98503c556) | change ABANDONED [by Parent5446]
Comment 13 Gerrit Notification Bot 2013-08-22 18:18:06 UTC 
Change 27022 abandoned by Parent5446:
Re-implemented Special:Userlogin using FormSpecialPage.

Reason:
The rest of the login system needs to be fixed before the UI part.

https://gerrit.wikimedia.org/r/27022
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links