Page MenuHomePhabricator
Create Task
Maniphest T14660

Users who request accounts are sent an administrator's IP address by e-mail
Closed, ResolvedPublic
Actions

Description

Author: matthew.britton

Description:
On the English Wikipedia, anonymous users who want accounts but can't create them themselves (because the name is too similar or account creation is disabled from their IP address) can request them at http://en.wikipedia.org/wiki/WP:ACC whereupon a trusted user will create the account via the "by e-mail" button on the account creation form.

Once they have done so, the user requesting the account recieves an automated e-mail, which looks like this:

The account "[name]" has been created on Wikipedia for you.

You have been given a temporary password "[password]". Please log in with these credentials where you will be prompted to change your password.

This account was created by someone at [IP address]. You may ignore this message if it was created in error.

That IP address is the IP address of whoever *created the account* -- an administrator or other trusted user. Since the username of whoever handled the request can be found in the page history, the two can be connected. Thus anyone who handles an account creation request is sending their IP address to the requestee.

Can this be avoided somehow?

Version: unspecified
Severity: major

Details

Reference
bz12660

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:03 PM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz12660.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Jan 17 2008, 8:46 AM
bzimport added a comment.Jan 17 2008, 8:59 AM

fran wrote:

If logged-in user is creating an account by e-mail, put their username in the confirmation email instead of their IP address.

Attached:

SpecialUserlogin.patch620 BDownload

bzimport added a comment.Jan 17 2008, 9:03 AM

matthew.britton wrote:

Should also change the text of the e-mail (wherever that's stored) so it makes sense with a username there instead of an IP address (remove the "someone at").

AzaToth added a comment.Feb 5 2008, 12:29 AM

bumping severity, as it's a safty issue

bzimport added a comment.Feb 5 2008, 2:19 AM

ayg wrote:

Fixed in r30562.

bzimport added a comment.Feb 5 2008, 2:34 AM

ayg wrote:

Oh, I didn't spot the existing patch. Maybe that would be a better idea, but I can't effectively test it (doubt I have working e-mail on localhost), so what I committed will do for now.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL