Page MenuHomePhabricator
Create Task
Maniphest T3448

Login with no Password
Closed, DeclinedPublic
Actions

Description

Author: geron

Description:
Hello,

I have installed Mediawiki 1.3.9 at saturday. I want a limited numbers of
authors for
this wiki, so I followed the description on url:
"http://meta.wikimedia.org/wiki/Preventing_Access".

Using:

$wgWhitelistAccount = array ( "sysop" => 1, "developer" => 1 );
$wgWhitelistEdit = true;

It works quite right with WikiSysop, but other accounts can login with the right
password or no password (field is blank). Login with wrong passwords are not
working.
It is only a configuration error or is it a bug in the script?

So long.

Daniel Gohlke

Version: 1.3.x
Severity: normal
OS: Linux
Platform: PC

Details

Reference
bz1448
TitleReferenceAuthorSource BranchDest Branch
Stop logging Bugzilla redirector missesrepos/phabricator/deployment!23brennenwork/T344884-bugzillawmf/stable
Revert " Add temporary debug output for T344835"repos/phabricator/phabricator!20aklappert344835revertwmf/stable
Add tests for get-feed.jsrepos/mediawiki/services/ipoid!136tchanderstest-get-feedmain
Add tests for scripts that update the databaserepos/mediawiki/services/ipoid!127kharlantests-properties-63e1main
tests: Run example query in integration testingrepos/mediawiki/services/ipoid!120kharlanintegration-testing-4235main
Run entire pipeline from integration testsrepos/mediawiki/services/ipoid!95kharlanadd-test-data-9b3bmain
Add tests for scripts that output filesrepos/mediawiki/services/ipoid!89tchandersget-properties-output-sql-testmain
Add temporary debug output for T344835repos/phabricator/phabricator!19aklapperT344835wmf/stable
Add test data filesrepos/mediawiki/services/ipoid!87tchandersadd-test-data-filesmain
Run entire pipeline from integration testsrepos/mediawiki/services/ipoid!80tchandersadd-test-datamain
Check for valid mediawiki-phan-config setuprepos/security/wikimedia-code-health-check!20sbassettT344855-improve-mediawiki-phan-config-checkmain
Improve User Experiencerepos/security/wikimedia-code-health-check!17mstylesuser-experiencemain
elasticsearch: bump elastic plugins versionrepos/releng/dev-images!49bkinges_pkgmain
Add tests for scripts that update the databaserepos/mediawiki/services/ipoid!56tchanderstests-propertiesmain
Update mw_history_checker job report emailsrepos/data-engineering/airflow-dags!481joalupdate_mediawiki_history_emailmain
elasticsearch: Update wmf-elasticsearch-search-pluginsrepos/releng/dev-images!48bkingelastic-plugin-updatemain
gitlab: Build image to connect to mariadb servicerepos/mediawiki/services/ipoid!44kharlanci-dbmain
Show related patches Customize query in GitLab

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 21 2014, 8:09 PM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz1448.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Feb 1 2005, 10:32 PM
bzimport added a comment.Feb 1 2005, 10:42 PM

jeluf wrote:

Did these accounts already exist before you added the two lines to the config?

bzimport added a comment.Feb 2 2005, 9:35 AM

geron wrote:

Yes they did. I created these accounts as WikiSysop via
<nowiki>[[Special:Userlogin]]</nowiki> sending me and other authors a password
via email. I found this out, when I work on a Windows machine, and typing
"enter" all the time.

brion added a comment.Feb 2 2005, 9:57 AM

What's the exact sequence you used in creating accounts?

Did you leave the password fields blank when creating the accounts?
This would set an initial empty password, allowing login with no
password.

bzimport added a comment.Feb 2 2005, 10:51 AM

geron wrote:

Yes, I did not set a password. The system generate a password and sent it via
e-mail, isn't it?
First I choose a username for each author and nothing else. Then I sent it. Each
author got an email with username and password.
I the initial empty password also available?

bzimport added a comment.Feb 4 2005, 10:57 PM

jeluf wrote:

Yes, the initial password is available at the same time.

The "I forgot my password" button is available for any user. If it is hit, the
user can log in using either his old password or the password he received via
mail. If we wouldn't allow both passwords, hitting the button would allow
denial-of-service attacks.

Assign an initial non-empty password to prevent logins without a password.

MarkAHershberger added a comment.Mar 13 2011, 5:46 PM

Changing all WONTFIX high priority bugs to lowest priority (no mail should be generated since I turned it off for this.)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL