@kaldari @Jdforrester-WMF — Your thoughts on this ticket? I can't imagine this would open any vulnerabilities or avenues for abuse. Should I check with Legal to be safe?

@Ragesoss — Would this address WikiEd's use case?

Yes. For Wiki Ed's purposes, it should return 'true' or somesuch if an email is set, even if it has not been confirmed. We want this so that we can head off students and professors who lose their passwords without setting an email; we encourage them to set one and make it clear that they won't be able to password reset without doing so.

Yeah, this data is already publicly exposed – compare https://en.wikipedia.org/wiki/Special:EmailUser/Foobar with the errors shown on https://en.wikipedia.org/wiki/Special:EmailUser/Foo (no user) and https://en.wikipedia.org/wiki/Special:EmailUser/Foobarz (user, no e-mail) when logged in. Security-Team might have some views – have you asked them?

It's probably OK, but yeah, let's get a sign-off from Security.

T179533: Security review for disabling user-to-user email on wikis where a user has never edited created to review this entire concept

@TBolliger based on the comment by @Ragesoss this API option might have useful application indpedenet of T184470

I happened to stumble across this task. Ideally action API stuff should be tagged with MediaWiki-Action-API so I see it.

Most likely a new option on https://www.mediawiki.org/wiki/API:Options

No, that would be completely wrong. action=options is for setting preferences, not for retrieving them.

You can currently determine whether a user both has a confirmed email set and has not unchecked the "Allow other users to email me" preference via [[https://en.wikipedia.org/w/api.php?formatversion=2&action=query&list=users&ususers=Anomie%20test%7CAnomie%20test%2014%7CAnomie%20test%2015%7CAnomie%20test%2016&usprop=emailable|action=query&list=users]].

You can directly check the current user's email address and when it was confirmed using [[https://en.wikipedia.org/w/api.php?action=query&meta=userinfo&uiprop=email|action=query&meta=userinfo]]. That module is also how you retrieve the current user's preferences.

In T179414#3723999, @Ragesoss wrote:

Yes. For Wiki Ed's purposes, it should return 'true' or somesuch if an email is set, even if it has not been confirmed.

In T179414#3724172, @Jdforrester-WMF wrote:

Yeah, this data is already publicly exposed – compare https://en.wikipedia.org/wiki/Special:EmailUser/Foobar with the errors shown on https://en.wikipedia.org/wiki/Special:EmailUser/Foo (no user) and https://en.wikipedia.org/wiki/Special:EmailUser/Foobarz (user, no e-mail) when logged in.

The data @Ragesoss requested is not completely exposed, however. Both a user with no email address set and a user with an unconfirmed email address give the message "This user has not specified a valid email address." (message 'noemailtext').

It is exposed whether a user has a confirmed email but has unchecked the "Allow other users to email me" or (if applicable) "Allow emails from brand-new users " preference, via a different error message (message 'nowikiemailtext').