-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
As some folks may recall, an action=createaccount was added to the API a few weeks ago. Unfortunately the first pass didn't include CAPTCHA support, so we haven't been able to use it for the live sites yet (which use ConfirmEdit's "FancyCaptcha" mode). We expect to start using this in the next couple weeks for the mobile Commons apps, so it's time to make it captcha-friendly...
I've made a first stab at adding support, based on the existing captcha interfaces for login and editing:
Several questions:
# Will the action=createaccount be disabled by default? # If enabled, is the action=createaccount reserved to a specific user group? # At first blush this appears to be designed to enable xrumer bruting. Have you considered adding optional single-use otf image creation for fancy captcha, which would be more cost effective on small wikis? # There are several private modules for ConfirmEdit, as well as sites using different captchas based on ConfirmEdit (Asirra?) How might this interact with a site using a different (non-supported) captcha module?
Amgine
On Fri, Mar 15, 2013 at 7:44 AM, Amgine amgine.saewyc@gmail.com wrote:
Several questions:
# Will the action=createaccount be disabled by default?
No, it's enabled by default.
Note that action=createaccount itself landed a few weeks ago; I'm just adding the captcha support.
# If enabled, is the action=createaccount reserved to a specific user group?
action=createaccount calls into LoginForm for the actual user creation; it's the same code as creating an account on the web interface and should use the same permissions.
# At first blush this appears to be designed to enable xrumer bruting. Have you considered adding optional single-use otf image creation for fancy captcha, which would be more cost effective on small wikis?
Brute-forcing captchas on the createaccount API should be exactly as easy/difficult as brute-forcing on the createaccount form.
I have not explored new captcha engines or techniques; that would be interesting to explore but is out of scope for me right now.
# There are several private modules for ConfirmEdit, as well as sites using different captchas based on ConfirmEdit (Asirra?) How might this interact with a site using a different (non-supported) captcha module?
If the module implements the addCaptchaAPI method -- already existing for some time and used by action=edit and action=login -- then it should work with action=createaccount as well.
-- brion
mediawiki-api@lists.wikimedia.org