On Fri, Mar 15, 2013 at 7:44 AM, Amgine <amgine.saewyc@gmail.com> wrote:
Several questions:

# Will the action=createaccount be disabled by default?

No, it's enabled by default.

Note that action=createaccount itself landed a few weeks ago; I'm just adding the captcha support.
 
# If enabled, is the action=createaccount reserved to a specific user
group?

action=createaccount calls into LoginForm for the actual user creation; it's the same code as creating an account on the web interface and should use the same permissions.
 
# At first blush this appears to be designed to enable xrumer bruting.
Have you considered adding optional single-use otf image creation for
fancy captcha, which would be more cost effective on small wikis?

Brute-forcing captchas on the createaccount API should be exactly as easy/difficult as brute-forcing on the createaccount form.

I have not explored new captcha engines or techniques; that would be interesting to explore but is out of scope for me right now.
 
# There are several private modules for ConfirmEdit, as well as sites
using different captchas based on ConfirmEdit (Asirra?) How might this
interact with a site using a different (non-supported) captcha module?

If the module implements the addCaptchaAPI method -- already existing for some time and used by action=edit and action=login -- then it should work with action=createaccount as well.

-- brion