Page MenuHomePhabricator

Update InviteSignup to use AuthManager
Open, Needs TriagePublic

Description

AddNewAccount and UserCreateForm are being deprecated. InviteSignup will break when AuthManager is merged and defaulted on (in a few weeks, probably). The extension could probably changed to:

  • use the AuthChangeFormFields hook for the form manipulations now done via UserCreateForm
  • create an AuthenticationRequest subclass with a single hidden field to handle the invite URL parameter
  • create its own SecondaryAuthenticationProvider to deny users without an invite hash and to do the DB modifications after registration

Details

Related Gerrit Patches:
mediawiki/extensions/InviteSignup : master[WIP] Update InviteSignup for AuthManager
mediawiki/vagrant : masterAdd invitesignup role

Event Timeline

Tgr created this task.May 10 2016, 2:10 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptMay 10 2016, 2:10 PM
Tgr updated the task description. (Show Details)May 12 2016, 3:39 PM
Seb35 added a subscriber: Seb35.Jul 27 2016, 8:57 AM

I wrote something similar with an AuthManager version for a client -- I didn’t know InviteSignup. The code is available on https://github.com/WikiValley/MGWiki, mainly the files EmailToken* and Special:Invitation. I’m still working on it in the next two weeks, so it will change a bit.

A difference with InviteSignup is the users are already created in my scenario. They receive an email with a link to a special page Special:Invitation, which log them with AuthManager (EmailTokenPrimaryAuthenticationProvider) and they are redirected to their userpage. You will see, I did something very hacky in the email to retrieve the token and create the URL with Special:Invitation, but I didn’t find any other way.

Change 304424 had a related patch set uploaded (by Gergő Tisza):
Add invitesignup role

https://gerrit.wikimedia.org/r/304424

Change 304424 merged by jenkins-bot:
Add invitesignup role

https://gerrit.wikimedia.org/r/304424

Tgr added a subscriber: Anomie.Aug 12 2016, 8:28 PM

A difference with InviteSignup is the users are already created in my scenario. They receive an email with a link to a special page Special:Invitation, which log them with AuthManager (EmailTokenPrimaryAuthenticationProvider) and they are redirected to their userpage. You will see, I did something very hacky in the email to retrieve the token and create the URL with Special:Invitation, but I didn’t find any other way.

That seems very wrong. As far as I can tell Special:Invitation is just a normal signup page, except it will break most of the time. And passing every account creation without any kind of check seems very pointless (LocalPasswordPrimaryAuthenticationPrivider already does that, except that it checks that the password is reasonable).

If you would like help in figuring out how to do it, feel free to open another task and add @Anomie and me to it.

create its own SecondaryAuthenticationProvider to deny users without an invite hash and [...]

@Tgr I might need to work on this soon. I was wondering how would this work, given InviteSignup doesn't really care about denying. It might be that registrations are open by default, but the extension is only used to invite people (perhaps to specific groups). In case registrations are closed, then of course with a hash one should be allowed to register.

Tgr added a comment.Feb 22 2017, 10:13 AM

You could make it configurable, sure.

I started working on a patch for this last year, let me see how far I got.

Change 339139 had a related patch set uploaded (by Gergő Tisza):
Update InviteSignup for AuthManager

https://gerrit.wikimedia.org/r/339139

Tgr added a comment.Feb 22 2017, 10:17 AM

Not very far, apparently...

Schtom added a subscriber: Schtom.Nov 2 2018, 12:57 PM