Last modified: 2008-02-05 02:34:26 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T14660, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 12660 - Users who request accounts are sent an administrator's IP address by e-mail
Users who request accounts are sent an administrator's IP address by e-mail
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
unspecified
All All
: Normal major (vote)
: ---
Assigned To: Nobody - You can work on this!
: patch, patch-need-review
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-17 08:46 UTC by Gurch
Modified: 2008-02-05 02:34 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
If logged-in user is creating an account by e-mail, put their username in the confirmation email instead of their IP address. (620 bytes, patch)
2008-01-17 08:59 UTC, Fran Rogers
Details

Description Gurch 2008-01-17 08:46:11 UTC
On the English Wikipedia, anonymous users who want accounts but can't create them themselves (because the name is too similar or account creation is disabled from their IP address) can request them at http://en.wikipedia.org/wiki/WP:ACC whereupon a trusted user will create the account via the "by e-mail" button on the account creation form.

Once they have done so, the user requesting the account recieves an automated e-mail, which looks like this:

  The account "[name]" has been created on Wikipedia for you.

  You have been given a temporary password "[password]". Please log in with these credentials where you will be prompted to change your password.

  This account was created by someone at [IP address]. You may ignore this message if it was created in error.

That IP address is the IP address of whoever *created the account* -- an administrator or other trusted user. Since the username of whoever handled the request can be found in the page history, the two can be connected. Thus anyone who handles an account creation request is sending their IP address to the requestee.

Can this be avoided somehow?
Comment 1 Fran Rogers 2008-01-17 08:59:19 UTC
Created attachment 4553 [details]
If logged-in user is creating an account by e-mail, put their username in the confirmation email instead of their IP address.
Comment 2 Gurch 2008-01-17 09:03:23 UTC
Should also change the text of the e-mail (wherever that's stored) so it makes sense with a username there instead of an IP address (remove the "someone at").
Comment 3 Carl Fürstenberg 2008-02-05 00:29:24 UTC
bumping severity, as it's a safty issue
Comment 4 Aryeh Gregor (not reading bugmail, please e-mail directly) 2008-02-05 02:19:22 UTC
Fixed in r30562.
Comment 5 Aryeh Gregor (not reading bugmail, please e-mail directly) 2008-02-05 02:34:26 UTC
Oh, I didn't spot the existing patch.  Maybe that would be a better idea, but I can't effectively test it (doubt I have working e-mail on localhost), so what I committed will do for now.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links