Last modified: 2014-06-07 19:40:29 UTC
Screenscraping should no longer be necessary at all for wikis using mw1.20+, assuming you can also get the real name from that. So it should check the version, and if it's 1.20+, skip the screenscraping part. (It may not actually get the values if the user never entered anything, so checking for those may not help any.) Otherwise go on to the ugly old hack that does the job on ugly-old-hack-needing 1.19-.
What exactly are you trying to do? From http://en.illogicopedia.org/wiki/Forum:Really,_seriously,_actually_moving,_for_real_this_time it would very much appear that you are prompting for username and password, then using these credentials to log onto some other server which is not yours. Once there, you seem to be trying to ask for individual user's e-mail, real name or personal info by claiming to be that user. If so, that's really not the way that MW is intended to work and, from a security standpoint, is a really questionable way of doing things. There is a proper way of handling this sort of authentication without having users give you (wittingly or unwittingly) their password from some other server. You might want to look at the way the TUSC accounts are created, for instance - the user logs onto the original server and places some sort of token on their page there to indicate they're the same person requesting a new password. A similar approach was used to match Wikitravel users to the same user on Wikivoyage - even though the former is abusing [[mw:extension:AbuseFilter]] to ban all mention of WV. If the user wants to give you their real name or e-mail, they will do so... directly.
(In reply to comment #1) > What exactly are you trying to do? As comment 0 explains, the extension is currently screenscraping (Ew), and should use the API instead. > > From > http://en.illogicopedia.org/wiki/Forum:Really,_seriously,_actually_moving, > _for_real_this_time > it would very much appear that you are prompting for username and password, > then using these credentials to log onto some other server which is not > yours. > Once there, you seem to be trying to ask for individual user's e-mail, real > name or personal info by claiming to be that user. Yes, that is basically what the MediaWikiAuth extension does. > If so, that's really not the way that MW is intended to work and, from a > security standpoint, is a really questionable way of doing things. Okay. > There is a proper way of handling this sort of authentication without having > users give you (wittingly or unwittingly) their password from some other > server. You might want to look at the way the TUSC accounts are created, for > instance - the user logs onto the original server and places some sort of > token > on their page there to indicate they're the same person requesting a new > password. A similar approach was used to match Wikitravel users to the same > user on Wikivoyage - even though the former is abusing > [[mw:extension:AbuseFilter]] to ban all mention of WV. Cool. Feel free to write an extension that transparently takes care of all of this.
Change 88150 had a related patch set uploaded by Legoktm: [WIP] Use the API to fetch the email if possible https://gerrit.wikimedia.org/r/88150
Change 88150 merged by Jack Phoenix: Use the API to fetch the email and realname if possible https://gerrit.wikimedia.org/r/88150
