Last modified: 2014-04-09 06:12:30 UTC
At the present time, AuthPlugin's user validity checks are limited to testing
whether the user exists, and testing whether the username and password combination
is valid. However, a MediaWiki user has other relevant states that can be mapped
to the external authenticator - mBlockedBy, mBlockedReason, mRights.
If the AuthPlugin:initUser method is used to set these attributes, the blocked user
condition is set too late to be effective. If these external checks are placed in
AuthPlugin:authenticate(), only the "incorrect password" error is displayed to the
user, even if the real cause was that the user was blocked.
At a minimum, the change could include adding an AuthPlugin:isBlocked method which
callers could use to set a "blocked" message.
This does raise the question of whether to autocreate a user that is either banned
or has special privileges. I would probably say create the blocked user but
disregard the special privileges. Sysop promotion should be a rare circumstance
with enough security consequences that it should be manual.
Daniel, could you help assess the current relevance of this old & uncommented enhancement request? Or maybe you know the right people to CC here. Thank you.
Well, we havent changed AuthPlugin much so it's probably still valid. Our auth plugin system isn't the most flexible.
Don't know who to cc.
Setting to Lowest to reflect the fact that nobody is working or planning to work on this.