Page MenuHomePhabricator

login's autocreate parameter has no effect if password is stored in password_file
Closed, DeclinedPublic

Description

Trying to better understand the issue of T183466, I create a temporary account (Test20180327) on enwiki, and tried Site(code, 'wikipedia').login() (without autocreate) several times on different wikis. The account was created automatically every time.

Then I noticed that the parameter is only respected if the password is not saved in a password file.

Users who have a password file will have an account created for them regardless of the value of autocreate.

This difference in behaviour is unexpected. We either want the accounts to be auto-created by default or we don't, it should not depend on password file.

Related commits:
c1b712702be6a3efa5f2b6a9eac37d34f2135277
b96e4c8e3153e0a0576d7dab184853ea53adc7dc

Details

Related Gerrit Patches:

Event Timeline

Dalba created this task.Mar 27 2018, 11:43 AM
Restricted Application added subscribers: pywikibot-bugs-list, Aklapper. · View Herald TranscriptMar 27 2018, 11:43 AM
Dalba updated the task description. (Show Details)Mar 27 2018, 11:46 AM
Dalba updated the task description. (Show Details)
Dalba updated the task description. (Show Details)Mar 27 2018, 12:39 PM
Dalba updated the task description. (Show Details)
Dalba renamed this task from login's autocreate paramter has no effect if password is stored in password_file to login's autocreate parameter has no effect if password is stored in password_file.Mar 27 2018, 1:26 PM
Dalba updated the task description. (Show Details)Mar 27 2018, 5:05 PM

Change 423195 had a related patch set uploaded (by Dalba; owner: Dalba):
[pywikibot/core@master] login.py: Always autocreate, deprecate the autocreate argument

https://gerrit.wikimedia.org/r/423195

Change 423195 abandoned by Dalba:
login.py: Always autocreate, deprecate the autocreate argument

Reason:
I need to think more about how this affects login process.

https://gerrit.wikimedia.org/r/423195

Dalba closed this task as Declined.EditedMar 31 2018, 6:09 AM

I'm gonna close this task as declined.

Thinking more about it, it makes sense to attempt login if there is a password in password file configured for the site. Also, security-wise, it may be desirable to not attempt login into a site if the username is not present on that site.

I still think that the autocreate argument is not that useful and can be a little confusing at times and it's possible to deprecate/remove it. but I don't see much benefit in removing it right now.

Another problem which I had with logging into private wikis can perhaps be resolved via other means. Others should feel free to reopen if they find other similar/related issues.