Last modified: 2014-05-01 15:49:01 UTC
Suppose a user has an account on more than one wiki, these accounts have not yet been merged, and they have different passwords. If the user tries to merge accounts from the non-home account, and they enter the password from their home account, they get an invalid password, and if they enter the password from their non-home account, they get a 'this is not your home account' error telling them to log in at the other wiki and repeat the process. However, clicking the browser's 'back' button on this screen and then typing in the home account password will lead to a successful merge. If the user has more than two accounts, then any which match either password will be considered a password match. I'm not sure if this is a bug or a feature. (If the password that's entered the second time round doesn't match any account with that username, it's 'accepted' anyway, but makes no difference to the merge process; this part of the behaviour is most probably a bug, but a minor one unless it's a security flaw, and I can't see a way in which it is a security flaw at the moment.) What I suggest is that this should be considered a feature, not a bug, but the step of clicking 'back' should be skipped, because it's nonintuitive. Instead, the 'this is not your home account screen' should say something along the lines of 'the home account for this username isn't this wiki but a different wiki; to confirm that the two accounts are owned by the same person, please enter the password for that account as well', followed by another password entry box. (The pre-existing 'feature' means that this should be easy to code, simply by using the pre-existing code.) This would be more convenient for users and more intuitive; it wouldn't require going to a different wiki, logging on there, and then retyping the password a second time, which is what the previously intended method required.
Hi ais523! Sorry that nobody has taken a look at this report yet and given feedback. Does this usecase mostly affect Wikimedia wikis, or is this a common usecase for wikis that you host? If this is mostly about Wikimedia, I propose WONTFIX, as nobody should spend time on this now that Single User Login (SUL) is in the making - see bug 35707.
The report was for Wikimedia, and specifically about the process of converting pre-Single Use Login accounts over to the Single User Login system. Given how long ago the transition happened, the bug is only potentially still relevant if someone comes back to Wikimedia after years away, and still has accounts dating from before Single User Login. Thus, I don't think there's much real purpose in fixing it, any more (especially because it's just an interface complaint).
Thanks for the quick answer. I agree there's probably not much real purpose in fixing it anymore. :-/