Page MenuHomePhabricator

Create API option to see if user has an email address associated with their account
Open, Needs TriagePublic

Description

This will be used to automate a check if a user or group of users has an email address set in their user preferences.

This should not return the email address itself, but should simply return a boolean yes/no or true/false or similar.

Most likely a new option on https://www.mediawiki.org/wiki/API:Options

Event Timeline

@kaldari @Jdforrester-WMF — Your thoughts on this ticket? I can't imagine this would open any vulnerabilities or avenues for abuse. Should I check with Legal to be safe?

@Ragesoss — Would this address WikiEd's use case?

Yes. For Wiki Ed's purposes, it should return 'true' or somesuch if an email is set, even if it has not been confirmed. We want this so that we can head off students and professors who lose their passwords without setting an email; we encourage them to set one and make it clear that they won't be able to password reset without doing so.

Yeah, this data is already publicly exposed – compare https://en.wikipedia.org/wiki/Special:EmailUser/Foobar with the errors shown on https://en.wikipedia.org/wiki/Special:EmailUser/Foo (no user) and https://en.wikipedia.org/wiki/Special:EmailUser/Foobarz (user, no e-mail) when logged in. Security-Team might have some views – have you asked them?

It's probably OK, but yeah, let's get a sign-off from Security.

@TBolliger based on the comment by @Ragesoss this API option might have useful application indpedenet of T184470

TBolliger reopened this task as Open.Jan 12 2018, 5:19 PM

Fair enough, reopened and removed Anti-Harassment.

Anomie added a subscriber: Anomie.EditedJan 12 2018, 5:53 PM

I happened to stumble across this task. Ideally action API stuff should be tagged with MediaWiki-API so I see it.

Most likely a new option on https://www.mediawiki.org/wiki/API:Options

No, that would be completely wrong. action=options is for setting preferences, not for retrieving them.

You can currently determine whether a user both has a confirmed email set and has not unchecked the "Allow other users to email me" preference via action=query&list=users.

You can directly check the current user's email address and when it was confirmed using action=query&meta=userinfo. That module is also how you retrieve the current user's preferences.

Yes. For Wiki Ed's purposes, it should return 'true' or somesuch if an email is set, even if it has not been confirmed.

Yeah, this data is already publicly exposed – compare https://en.wikipedia.org/wiki/Special:EmailUser/Foobar with the errors shown on https://en.wikipedia.org/wiki/Special:EmailUser/Foo (no user) and https://en.wikipedia.org/wiki/Special:EmailUser/Foobarz (user, no e-mail) when logged in.

The data @Ragesoss requested is not completely exposed, however. Both a user with no email address set and a user with an unconfirmed email address give the message "This user has not specified a valid email address." (message 'noemailtext').

It is exposed whether a user has a confirmed email but has unchecked the "Allow other users to email me" or (if applicable) "Allow emails from brand-new users " preference, via a different error message (message 'nowikiemailtext').