Page MenuHomePhabricator
Create Task
Maniphest T4027

Create AuthPlugin methods to capture every aspect of MW user object
Closed, ResolvedPublic
Actions

Description

Author: carltonb

Description:
At the present time, AuthPlugin's user validity checks are limited to testing
whether the user exists, and testing whether the username and password combination
is valid. However, a MediaWiki user has other relevant states that can be mapped
to the external authenticator - mBlockedBy, mBlockedReason, mRights.

If the AuthPlugin:initUser method is used to set these attributes, the blocked user
condition is set too late to be effective. If these external checks are placed in
AuthPlugin:authenticate(), only the "incorrect password" error is displayed to the
user, even if the real cause was that the user was blocked.

At a minimum, the change could include adding an AuthPlugin:isBlocked method which
callers could use to set a "blocked" message.

This does raise the question of whether to autocreate a user that is either banned
or has special privileges. I would probably say create the blocked user but
disregard the special privileges. Sysop promotion should be a rare circumstance
with enough security consequences that it should be manual.

Version: unspecified
Severity: enhancement

Details

Reference
bz2027

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 21 2014, 8:28 PM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz2027.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Apr 30 2005, 1:31 PM
Qgil added a comment.Apr 8 2013, 5:08 PM

Daniel, could you help assess the current relevance of this old & uncommented enhancement request? Or maybe you know the right people to CC here. Thank you.

DanielFriesen added a comment.Apr 8 2013, 8:28 PM

Well, we havent changed AuthPlugin much so it's probably still valid. Our auth plugin system isn't the most flexible.

Don't know who to cc.

Qgil added a comment.Apr 9 2014, 6:12 AM

Setting to Lowest to reflect the fact that nobody is working or planning to work on this.

Tgr added a subtask: T91699: Create AuthManager framework and core classes.Sep 2 2015, 9:25 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 2 2015, 9:25 PM
Tgr subscribed.Sep 2 2015, 9:27 PM

AuthManager (T91699) will replace AuthPlugin and allow classes to subscribe to login or account creation events, receive the auth data and the user object after a provisionally successful authentication, and veto the event.

Anomie closed subtask T91699: Create AuthManager framework and core classes as Resolved.May 25 2016, 6:51 PM
Tgr closed this task as Resolved.Sep 17 2016, 9:30 PM
Tgr claimed this task.

There is now a way for AuthenticationProvider subclasses to do arbitrary checks and return arbitrary error messages that should cover this use case:

  • testForAuthentication/testForAccountCreation for validating a login/signup request
  • testUserForCreation for autocreation
  • beginSecondaryAuthentication for preventing login after some other auth provider has resolved the login request to a username
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits