Last modified: 2008-02-05 02:34:26 UTC
On the English Wikipedia, anonymous users who want accounts but can't create them themselves (because the name is too similar or account creation is disabled from their IP address) can request them at http://en.wikipedia.org/wiki/WP:ACC whereupon a trusted user will create the account via the "by e-mail" button on the account creation form.
Once they have done so, the user requesting the account recieves an automated e-mail, which looks like this:
The account "[name]" has been created on Wikipedia for you.
You have been given a temporary password "[password]". Please log in with these credentials where you will be prompted to change your password.
This account was created by someone at [IP address]. You may ignore this message if it was created in error.
That IP address is the IP address of whoever *created the account* -- an administrator or other trusted user. Since the username of whoever handled the request can be found in the page history, the two can be connected. Thus anyone who handles an account creation request is sending their IP address to the requestee.
Can this be avoided somehow?
Created attachment 4553 [details]
If logged-in user is creating an account by e-mail, put their username in the confirmation email instead of their IP address.
Should also change the text of the e-mail (wherever that's stored) so it makes sense with a username there instead of an IP address (remove the "someone at").
bumping severity, as it's a safty issue
Fixed in r30562.
Oh, I didn't spot the existing patch. Maybe that would be a better idea, but I can't effectively test it (doubt I have working e-mail on localhost), so what I committed will do for now.