Page MenuHomePhabricator
Create Task
Maniphest T110431

Audit extensions using authentication-related hooks
Closed, ResolvedPublic
Actions

Description

There are a few hooks other than T110414 which are related to authentication (or authentication data change) and using them is a sign that the extension might benefit from an update after AuthManager is merged. Possibly incomplete list (I just searched doc/hooks.txt for hooks with "abort", "login", "auth", "session", "email" or "password" in the name):

Authentication:

Login/signup/logout process:

Email change:

Password change:

Password reset:

Related Objects
Search...

Event Timeline

Tgr created this task.Aug 26 2015, 11:32 PM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added projects: MediaWiki-Core-AuthManager, Reading-Infrastructure-Team-Old (Don't use), MediaWiki-extensions-General.
Tgr added subscribers: Aklapper, Tgr.
Tgr updated the task description. (Show Details)Aug 27 2015, 5:59 AM
Tgr set Security to None.
Tgr mentioned this in T91303: Audit extensions for use of $wgAuth.Aug 27 2015, 6:20 AM
bd808 moved this task from Backlog to AuthManager Backlog on the MediaWiki-Core-AuthManager board.Aug 28 2015, 5:25 PM
Tgr added a comment.EditedSep 4 2015, 12:00 AM

Omitting the extensions already listed in the other audit tasks, the matching extensions (on gerrit) are (extensions that are probably not affected by AuthManager are striked through):

  • AccountAudit: just stores audit info on login
  • ArticleFeedbackv5: uses UserLoginComplete to preserve workflow through login
  • BlueSpiceExtensions: the UserManager sub-extension tries to be its own auth manager
  • Campaigns: just logs info on registration
  • CustomUserSignup: replaces the signup template with a custom one. This will probably not be possible with AuthManager. Extension is unmaintaned and superseded by Campaigns and GettingStarted so that's probably not a huge deal.
  • FlaggedRevs: does some non-auth-related session magic (review conflict prevention?) on UserLoadAfterLoadFromSession
  • GettingStarted: uses UserLogoutComplete to clean up some cookies
  • GlobalBlocking: blocks password reset via SpecialPasswordResetOnSubmit when the user is blocked; we can probably keep that
  • InviteSignup: disallow registration unless the user follows a link from an invite email. Maybe this could be a pre-auth provider, but it won't be broken by the auth framework rewrite.
  • LDAPAuthorization: authz
  • MobileFrontend: does its own login not anymore, just adds a logo to the forms
  • NetworkAuth: IP-based authentication. Should be a session handler.
  • NSFileRepo: authz
  • OnlineStatus: just updates status on login/logout
  • OnlineStatusBar: just updates status on login/logout
  • Persona: reimplements both normal and API login. Should be a provider.
  • PrivateDomains: authz
  • SecurePasswords: uses a bunch of hooks to influence password validation and storage. As long as the local password provider keeps those hooks, we should be fine.
  • SecurePoll: rolls its own authorization. Probably should be turned into a session provider but it won't be directly affected by AuthManager.
  • SimpleSecurity: authz
  • SocialLogin: login via various social media sites; should be a primary provider
  • SportsTeams: messes with Special:UserLogin in horrible hacky ways. Probably beyond saving.
  • StalkerLog: audits logins/logouts via UserLoginComplete/UserLogoutComplete
  • Sudo: probably could be rewritten cleaner as a session handler, but it won't break.
  • Translate: provides its own auth manager; that should probably be killed
  • WebPlatformAuth: exports user auth data in the (PHP) session so that it can be accessed by other websites. Probably just needs some hook name changes.
  • WikimediaIncubator: uses the auth form to pass some user data (such as which project the user is incubating). Might be cleaner as a secondary provider.
Tgr mentioned this in T111482: Update NetworkAuth to use AuthManager.Sep 4 2015, 2:48 AM
Tgr mentioned this in T111483: AuthManager should retain the MobileFrontend watermark at the top of the login screen.Sep 4 2015, 2:52 AM
Tgr mentioned this in T111484: Update Persona to use AuthManager.
Tgr mentioned this in T111485: Update SocialLogin to use AuthManager.Sep 4 2015, 2:55 AM
Tgr mentioned this in T111486: Update Translate to use AuthManager.
Tgr mentioned this in T111487: Update WikimediaIncubator to use AuthManager.
Tgr closed this task as Resolved.Sep 4 2015, 3:01 AM
Tgr claimed this task.
Tgr mentioned this in T110291: Update all extensions to use AuthManager.Jan 18 2016, 5:54 PM
Tgr mentioned this in T132330: Audit extensions using methods/hooks from LoginForm and other authentication special pages.Apr 17 2016, 9:15 PM
Fjalapeno edited projects, added Product-Infrastructure-Team-Backlog-Deprecated; removed Reading-Infrastructure-Team-Old (Don't use).Jun 7 2017, 2:57 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL