Last modified: 2014-04-09 06:12:30 UTC
At the present time, AuthPlugin's user validity checks are limited to testing whether the user exists, and testing whether the username and password combination is valid. However, a MediaWiki user has other relevant states that can be mapped to the external authenticator - mBlockedBy, mBlockedReason, mRights. If the AuthPlugin:initUser method is used to set these attributes, the blocked user condition is set too late to be effective. If these external checks are placed in AuthPlugin:authenticate(), only the "incorrect password" error is displayed to the user, even if the real cause was that the user was blocked. At a minimum, the change could include adding an AuthPlugin:isBlocked method which callers could use to set a "blocked" message. This does raise the question of whether to autocreate a user that is either banned or has special privileges. I would probably say create the blocked user but disregard the special privileges. Sysop promotion should be a rare circumstance with enough security consequences that it should be manual.
Daniel, could you help assess the current relevance of this old & uncommented enhancement request? Or maybe you know the right people to CC here. Thank you.
Well, we havent changed AuthPlugin much so it's probably still valid. Our auth plugin system isn't the most flexible. Don't know who to cc.
Setting to Lowest to reflect the fact that nobody is working or planning to work on this.