Last modified: 2014-02-12 23:38:03 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T47101, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 45101 - Make it impossible to login as old user name after rename


Summary:	Make it impossible to login as old user name after rename

Status:	NEW

Product:	MediaWiki extensions
Classification:	Unclassified
Component:	Renameuser (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Low enhancement with 1 vote (vote)
Target Milestone:	---
Assigned To:	Nobody - You can work on this!

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-02-17 15:54 UTC by Scott Martin (http://enwp.org/user:scott)
Modified:	2014-02-12 23:38 UTC (History)
CC List:	6 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Scott Martin (http://enwp.org/user:scott) 2013-02-17 15:54:56 UTC

After having your account renamed, it is possible to log in again as the old name using your current password. This should not be the case. 

I'd hazard a guess that the old user's password field in the database isn't being cleared at rename time.

Comment 1 Andre Klapper 2013-02-17 17:05:29 UTC

Hex: Which Mediawiki version is this about?

Comment 2 db [inactive,noenotif] 2013-02-17 17:10:58 UTC

Sounds like automatic account creation on SUL. Seen on many wikis at many times.

Due to the fact, that you does not know, when you account is renamed, you will first try to login with your old name and than autocreate the account.

Comment 3 Scott Martin (http://enwp.org/user:scott) 2013-02-17 17:15:54 UTC

(In reply to comment #1)
> Hex: Which Mediawiki version is this about?

1.21wmf9 (afbf386); I encountered this on the English Wikipedia.

Comment 4 Scott Martin (http://enwp.org/user:scott) 2013-02-17 17:36:12 UTC

(In reply to comment #2)
> Sounds like automatic account creation on SUL. Seen on many wikis at many
> times.
> 
> Due to the fact, that you does not know, when you account is renamed, you
> will first try to login with your old name and than autocreate the account.

Mmm. I'd say some "your account has been renamed" UI is necessary.

I'd suggest a process along the lines of the following:

- Login as old account
- Login notices that old account has a "renamed" flag set
- Screen is presented:

  Your account has been renamed, and you are now logged in as <new name>. 
  You will no longer be able to log in as <old name>. 
  
  [ OK ]

- Login ability for old account is removed

If a user is logged in on another wiki with the old account, and returns to their home wiki after a renaming has taken place, this should be detected and they should be logged out. They would then get the renaming message when logging in again.

Comment 5 Chris Steipp 2013-02-20 01:07:10 UTC

The global rename patch (https://gerrit.wikimedia.org/r/#/c/39171/) will help this, since we account for this race condition.

In the meantime, the workaround is to either delete or lock the centralauth account before doing the rename, so the user can't login with the old name and have the account autocreated.

Comment 6 Nemo 2013-05-01 15:25:04 UTC

(In reply to comment #5)
> In the meantime, the workaround is to either delete or lock the centralauth
> account before doing the rename, so the user can't login with the old name
> and
> have the account autocreated.

This is not a usable workaround.
Scrupulous bureaucrats create an account under a random username, rename it to your username and block it. Before SUL they could create it directly at your old username, but that's a minor change.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links