Page MenuHomePhabricator
Create Task
Maniphest T303913

usprop=cancreate API returns a username can be created on some wikis but not actually
Closed, InvalidPublicBUG REPORT
Actions

Description

List of steps to reproduce (step by step, including full links if applicable):
For username "BrionVIBBER"
loginwiki:

{
    "name": "BrionVIBBER",
    "missing": "",
    "cancreateerror": [
        {
            "message": "$1",
            "params": [
                "The username &quot;BrionVIBBER&quot; is too similar to the following usernames:<ul><li>Brion VIBBER</li><li>Brion VIBBEr</li><li>Brion Vibber</li></ul>Please choose another username."
            ],
            "code": "_1",
            "type": "error"
        }
    ]
}

enwiki:

{
    "name": "BrionVIBBER",
    "missing": "",
    "cancreateerror": [
        {
            "message": "$1",
            "params": [
                "The username &quot;BrionVIBBER&quot; is too similar to the following usernames:<ul><li>Brion VIBBER</li><li>Brion VIBBEr</li><li>Brion Vibber</li></ul>Please choose another username."
            ],
            "code": "_1",
            "type": "error"
        }
    ]
}

zhwiki:

{
    "name": "BrionVIBBER",
    "missing": "",
    "cancreate": ""
}

What happens?:
For username "BrionVIBBER", The API says it can be created on zhwiki.

What should have happened instead?:
Since we have unified login, I think it should have the same behavior on different wikis. It should return "cancreateerror" on zhwiki for username "BrionVIBBER".

Related Objects

Event Timeline

Xiplus created this task.Mar 16 2022, 8:44 AM
Restricted Application added subscribers: Stang, Aklapper. · View Herald TranscriptMar 16 2022, 8:44 AM
Ammarpad subscribed.Mar 16 2022, 10:47 AM

Since we have unified login, I think it should have the same behavior on different wikis. It should return "cancreateerror" on zhwiki for username "BrionVIBBER".

It does (by default)

Screen Shot 2022-03-16 at 11.31.47 AM.png (807×1 px, 151 KB)

There's no global account 'BrionVIBBER'; https://meta.wikimedia.org/wiki/Special:CentralAuth?target=BrionVIBBER, and so it is creatable until disallowed by AntiSpoof. But AntiSpoof can be overridden by a user right, and you're allowed to do that on zwhiki, but not on enwiki and loginwiki. That's why you see different result on different wikis.

Xiplus added a comment.Mar 16 2022, 11:25 AM
In T303913#7781184, @Ammarpad wrote:

But AntiSpoof can be overridden by a user right

I didn't notice this. I think it's better to provide a API parameter to decide whether to use user right in checking or to provide more information in API result.

Ammarpad closed this task as Invalid.Mar 16 2022, 11:51 AM
Ammarpad added a comment.Mar 16 2022, 11:57 AM
In T303913#7781246, @Xiplus wrote:

I think it's better to provide a API parameter to decide whether to use user right in checking or to provide more information in API result.

You can create new task to request that. But, in my view, it does not look useful. It you want your user-rights to not affect what results is returned to you, you should either log out, use fresh account or use incognito browser profile. In all other cases where you're logged-in, user-rights will influence what you see and can access.

Xiplus mentioned this in T303953: Provide a warning to admins who test whether the usernames can be created.Mar 16 2022, 2:01 PM
Stang unsubscribed.Mar 27 2022, 7:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL