Steps to reproduce:
- create a user on vagrant with the centralauth role enabled; that should create a local user on devwiki and loginwiki
- unattach the loginwiki account
The user will be able to log in, but not able to log out. I think what happens is:
- at login, the user is sent to loginwiki:Special:CentralLogin/start which never checks whether the account is connected, and logs the user in on loginwiki
- at logout, the user is logged out locally, and the global token is reset, but that won't affect the unconnected loginwiki account. Not being logged in triggers an autologin sequence; again, loginwiki:Special:CentralLogin/checkLoggedIn never checks if the user is connected, so they get logged in again.
In theory unconnected accounts on loginwiki should not exist. In practice, I have several on my test machine. I initially though that's the side effect of me doing strange things while debugging, but today I realized that new ones are still being created when I do normal testing via the web UI. I'm not sure if the same thing happens in production (and haven't yet found a query which would find such accounts in a reasonable time), but I'd rather err on the side of caution.