-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Kat Walsh wrote:
... if the user knows the password, the account is effectively theirs seems silly to make them take the extra step of going and changing the email before it shows in the list.
Yes, that would be silly -- that's why they're instead prompted to enter the password.
I'm assuming this doesn't work on the test wiki yet -- I was prompted to enter a password and it only accepted the one I used with my login to the test wiki. It identified en.wikipedia as my home account but said I would have to log in at en.wikipedia to complete the merge process.
That's the intended behavior -- the merge process requires that you be working at your main account or at an account which can be automatically determined to match it by password.
This minimizes the risk of someone else milling your accounts for information by making an account which would get merged in due to disuse or matching e-mail address.
However, when I changed my password on test to the one I use on enwikipedia, it suggested all of the "mindspillage" accounts to merge, only prompting for my password on accounts where I have both different email and password.
Is this what's intended?
Sounds about right! It can then match to your primary account (en.wikipedia in this case) by password, and then also match all others with the same password or e-mail address.
You'd only need to enter additional passwords if they can't be matched already.
- -- brion vibber (brion @ wikimedia.org)