Page MenuHomePhabricator
Create Task
Maniphest T62303

SUL recreation of renamed users should be prevented
Closed, InvalidPublic
Actions

Description

Author: writ.keeper.enwp

Description:
If a user gets renamed on a local wiki, their account for that wiki is detached from their global SUL account, which frees up their old username. However, if that user logs into their old username, whether from old browser information (old sessions, saved username/passwords, etc.) or from accidentally typing in their old username, SUL will quietly recreate their account for them, and they might continue editing without knowing that they're not using their new username. This can cause particular problems if their rename had a privacy aspect to it (e.g. they renamed themselves to remove their real name from their username). I would propose some sort of cooldown on SUL automatic creation of usernames that have been recently renamed locally to prevent these issues.

See also bug 32647, which is related to logging these.

Version: unspecified
Severity: normal

Details

Reference
bz60303

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 2:53 AM
bzimport added a project: MediaWiki-extensions-CentralAuth.
bzimport set Reference to bz60303.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Jan 21 2014, 8:20 PM
bzimport added a comment.Jan 21 2014, 8:24 PM

writ.keeper.enwp wrote:

I have a few examples of this happening in the wild, but because of the aforementioned privacy issues, I'm reluctant to discuss them unless necessary. I can probably dig up some non-private examples, too, though.

Snowolf added a comment.Jan 21 2014, 8:49 PM

This should be handled thru global rename procedures, imo: after a global rename, the source username is either (a) deleted or (b) forced to login again. More likely (a).

bzimport added a comment.Jan 21 2014, 9:06 PM

writ.keeper.enwp wrote:

Well, my primary concern is the immediate privacy issues, wherein users that have gotten their real names removed from their usernames are inadvertently spreading their real names hither and thither. I agree that, once SUL finalization is...finalized...this ceases to be an issue, but until then (and last I checked, that date was still TBD), I think that this is a serious enough issue to warrant some kind of action. For clarity: the recreation cooldown should only apply locally (i.e. on the wiki where the user was renamed), not globally. It doesn't completely solve the problem, but it'll help. Forcing a re-login after a rename would also help, to a somewhat lesser extent (it might not cover the case where a browser autopoulates the username).

werdna unsubscribed.Dec 10 2014, 5:27 PM
CptViraj subscribed.Nov 13 2020, 5:48 AM
taavi closed this task as Invalid.Jul 23 2023, 5:03 PM
taavi subscribed.

SUL finalization has happened.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL