Last modified: 2013-07-18 17:49:24 UTC
This seems like a possible security problem: https://en.wikipedia.org/wiki/Wikipedia:Village_pump_(technical)#New_Single_User_Login_system.2C_login_success_page_going_away Quoting: This system is buggy. I own the SUL account "Stefan2", but other people own my username locally on Commons and two language editions of Wikipedia, and the accounts on those three projects are not attached to SUL (see sulutil:Stefan2). If I go to Commons, the new SUL system partially logs me in to the local Stefan2 account on Commons: Commons:Special:Preferences tells that I'm not logged in, but the links at the top say that I'm logged in. The user name, Special:Contributions link and "log out" links are all there. Also, the interface is partially in English, partially in German. I'm guessing that the one who set the interface to German was the guy who owns the user name on Commons. I don't know whether I can access any private data other than the language setting, and I don't know whether any edits would be attributed to my IP address or to Commons:User:Stefan2. In any case, things seem to be wrong, and there may be security issues with this. Screenshot: http://i.imgur.com/TvwRbSE.png
I don't think this is a security issue, the only thing that is confused into thinking you're logged in is the "replace the p-personal bar" script. It's also a minimal data leak, as all that's leaked is what can be directly gleaned from the p-personal bar: the user's language setting and whether they have any unread Echo notifications. I have a patch all set to fix this, now I'm mainly waiting for this morning's Gerrit maintenance to finish and for someone else to be around who can review it. Then we'll grab a maintenance window and deploy the fix.
Gerrit change #74369 has been uploaded and merged, and is in the process of being deployed to WMF wikis as I write this. So I'm going to mark this as fixed now.
Brad: Once again thanks for the quick help, analysis, and fix! Appreciated.
