Last modified: 2014-05-01 15:49:01 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 11982 - Show a second password entry box after the correct password is entered but on a non-home account
Show a second password entry box after the correct password is entered but on...
Product: MediaWiki extensions
Classification: Unclassified
CentralAuth (Other open bugs)
All All
: Lowest enhancement with 2 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2007-11-14 16:26 UTC by ais523
Modified: 2014-05-01 15:49 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description ais523 2007-11-14 16:26:46 UTC
Suppose a user has an account on more than one wiki, these accounts have not yet been merged, and they have different passwords. If the user tries to merge accounts from the non-home account, and they enter the password from their home account, they get an invalid password, and if they enter the password from their non-home account, they get a 'this is not your home account' error telling them to log in at the other wiki and repeat the process. However, clicking the browser's 'back' button on this screen and then typing in the home account password will lead to a successful merge. If the user has more than two accounts, then any which match either password will be considered a password match. I'm not sure if this is a bug or a feature. (If the password that's entered the second time round doesn't match any account with that username, it's 'accepted' anyway, but makes no difference to the merge process; this part of the behaviour is most probably a bug, but a minor one unless it's a security flaw, and I can't see a way in which it is a security flaw at the moment.)

What I suggest is that this should be considered a feature, not a bug, but the step of clicking 'back' should be skipped, because it's nonintuitive. Instead, the 'this is not your home account screen' should say something along the lines of 'the home account for this username isn't this wiki but a different wiki; to confirm that the two accounts are owned by the same person, please enter the password for that account as well', followed by another password entry box. (The pre-existing 'feature' means that this should be easy to code, simply by using the pre-existing code.) This would be more convenient for users and more intuitive; it wouldn't require going to a different wiki, logging on there, and then retyping the password a second time, which is what the previously intended method required.
Comment 1 Andre Klapper 2014-04-29 06:13:09 UTC
Hi ais523! Sorry that nobody has taken a look at this report yet and given feedback.

Does this usecase mostly affect Wikimedia wikis, or is this a common usecase for wikis that you host?

If this is mostly about Wikimedia, I propose WONTFIX, as nobody should spend time on this now that Single User Login (SUL) is in the making - see bug 35707.
Comment 2 ais523 2014-04-29 12:23:42 UTC
The report was for Wikimedia, and specifically about the process of converting pre-Single Use Login accounts over to the Single User Login system. Given how long ago the transition happened, the bug is only potentially still relevant if someone comes back to Wikimedia after years away, and still has accounts dating from before Single User Login. Thus, I don't think there's much real purpose in fixing it, any more (especially because it's just an interface complaint).
Comment 3 Andre Klapper 2014-05-01 15:49:01 UTC
Thanks for the quick answer.
I agree there's probably not much real purpose in fixing it anymore. :-/

Note You need to log in before you can comment on or make changes to this bug.