Page MenuHomePhabricator
Create Task
Maniphest T69995

Allow login in with pre-rename username and password
Closed, ResolvedPublic
Actions

Description

As a user who has been renamed during SUL migration
I want to login with my old name and password
So I can continue to use the wiki

As a user who has been renamed during SUL migration
I want to know that I was renamed
So I can learn my new name and/or ask for a new name

Given that I authenticate with "username" and "password"
When "password" is not valid for "username"

AND "password" is valid for "username~<WIKI>"

Then I am logged in as "username~<WIKI>"

AND I am redirected to the SUL account renamed page

Given that I am logged in
When I am redirected to the SUL account renamed page
Then I am told my account was renamed to NEW_NAME

AND I am asked to log in using that name in the future
AND I am told how I can get my new account renamed
AND I am told why all this happened
AND I am given a link to the page I wanted to visit

Version: master
Severity: enhancement

Details

Reference
bz67995

Related Objects
Search...

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
· · ·
ResolvedLegoktmT37707 Complete unification of all accounts to SUL
Resolvedbd808T69995 Allow login in with pre-rename username and password
· · ·

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 3:30 AM
bzimport added a project: MediaWiki-extensions-CentralAuth.
bzimport set Reference to bz67995.
bd808 created this task.Jul 14 2014, 5:14 PM
gerritbot added a comment.Jul 17 2014, 4:46 AM

Change 147020 had a related patch set uploaded by BryanDavis:
Allow login with pre-rename username and password

https://gerrit.wikimedia.org/r/147020

gerritbot added a comment.Jul 22 2014, 5:58 PM

Change 148420 had a related patch set uploaded by BryanDavis:
[WIP] Interstitial notification page for renamed users

https://gerrit.wikimedia.org/r/148420

gerritbot added a comment.Aug 28 2014, 7:50 PM

Change 156887 had a related patch set uploaded by CSteipp:
[WIP] Allow extensions to indicate rename during login

https://gerrit.wikimedia.org/r/156887

gerritbot added a comment.Aug 28 2014, 8:44 PM

Change 156947 had a related patch set uploaded by CSteipp:
Check for renamed user on login

https://gerrit.wikimedia.org/r/156947

csteipp added a comment.Aug 28 2014, 9:13 PM

I added a few patchsets (gerrit 156887 and gerrit 156947) to add a hook to core and use that in CentralAuth to fix the remaining use case that Bryan's patch didn't cover. This feels ugly, but I'm not sure we have a better solution.

On a separate note, I wanted to document that this feature has slight security implications. Since we're automatically changing the username on login, there's a small (nearly impossible, but not entirely) chance we'll change it to the wrong username, if two users have the same password. This would be the same if pre-finalization, a local user came to a wiki and "accidentally" logged into another person's account who happened to have the same username and password.

Highly unlikely to have any real impact, but wanted to bring it up in case it bothers anyone.

bd808 added a comment.Aug 28 2014, 10:00 PM

(In reply to Chris Steipp from comment #5)

On a separate note, I wanted to document that this feature has slight
security implications. Since we're automatically changing the username on
login, there's a small (nearly impossible, but not entirely) chance we'll
change it to the wrong username, if two users have the same password. This
would be the same if pre-finalization, a local user came to a wiki and
"accidentally" logged into another person's account who happened to have the
same username and password.

Highly unlikely to have any real impact, but wanted to bring it up in case
it bothers anyone.

I think I pointed that out somewhere, but maybe it was only as discussion in a meeting. It is a fairly small new hole as the two users that are being confused must be USER and USER~wiki. Meaning the USER~wiki account is now exposed to brute force attacks on the USER account's password.

gerritbot added a comment.Sep 4 2014, 10:41 PM

Change 156887 merged by jenkins-bot:
Allow extensions to indicate a username doesn't exist

https://gerrit.wikimedia.org/r/156887

gerritbot added a comment.Sep 23 2014, 9:48 PM

Change 147020 merged by jenkins-bot:
Allow login with pre-rename username and password

https://gerrit.wikimedia.org/r/147020

gerritbot added a comment.Sep 23 2014, 11:07 PM

Change 156947 merged by jenkins-bot:
Check for renamed user on login

https://gerrit.wikimedia.org/r/156947

gerritbot added a comment.Oct 17 2014, 7:33 PM

Change 148420 merged by jenkins-bot:
Interstitial notification page for renamed users

https://gerrit.wikimedia.org/r/148420

MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-CentralAuth board.May 5 2015, 5:56 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL