Hi folks,
I'm in the process of writing a AuthPlugin for bbPress, so that the WordPress folks can do single sign-on between their user forums and their MediaWiki install. First release is here: http://codex.wordpress.org/User:RobLa/bbPress_Auth_for_MediaWiki
One thing I'm having trouble with is the case sensitivity issue. bbPress isn't case sensitive. MediaWiki is. This makes logging in relatively simple. As it turns out, I accidentally leveraged SQLs default case-insensitivity in my first crack at this.
So, I try logging in as "RobLa". My plugin checks the bbPress database, where I've registered "robla", and allows me to check my credentials there. All good, so "RobLa" created. Log out, log back in as "RobLa", and all works well. Yay!
However, I log back out and log back in as "RoBLA". It allows this too. Yay? Looking at the user db, it appears to have auto-created accounts for "RobLa" and "RoBLA". Boo!
My inclination is to add a new method AuthPlugin::getCanonicalName($username), which gets called from User::newFromName. That'll give my plugin (or any AuthPlugin) a crack at munging the name just before an account is created.
Before I do all of that, though, I'm hoping that there's a better approach that I'm not considering. Thoughts?
Rob
Rob Lanphier wrote:
However, I log back out and log back in as "RoBLA". It allows this too. Yay? Looking at the user db, it appears to have auto-created accounts for "RobLa" and "RoBLA". Boo!
My inclination is to add a new method AuthPlugin::getCanonicalName($username), which gets called from User::newFromName. That'll give my plugin (or any AuthPlugin) a crack at munging the name just before an account is created.
Before I do all of that, though, I'm hoping that there's a better approach that I'm not considering. Thoughts?
You should be able to modify the name on the user object as it's passed through to you to use the canonical case form.
(Warning: I have not tried thsi!)
-- brion vibber (brion @ pobox.com)
On Sat, 2005-07-23 at 11:10 +0200, Brion Vibber wrote:
Rob Lanphier wrote:
However, I log back out and log back in as "RoBLA". It allows this too. Yay? Looking at the user db, it appears to have auto-created accounts for "RobLa" and "RoBLA". Boo!
My inclination is to add a new method AuthPlugin::getCanonicalName($username), which gets called from User::newFromName. That'll give my plugin (or any AuthPlugin) a crack at munging the name just before an account is created.
You should be able to modify the name on the user object as it's passed through to you to use the canonical case form.
I don't believe that the user object is getting properly passed through at a time that it does any good. Most of the current interfaces pass copies of the "username" string up until the point where there's a verified account (too late). AuthPlugin::initUser is the first crack I get at a user object that's been explicitly passed through, which is too late.
So, my options appear to be: 1. (my current approach) add call to AuthPlugin::setCanonicalName in User::newFromName. I coded this last night, and it seems to work pretty well, but does require a patch. 2. Try munging a global, such as $wgUser, in AuthPlugin::authenticate. I haven't yet worked out if that'll actually do the trick, since it appears that the mName member of LoginForm object is the name that is being used right up until account creation, and I don't think AuthPlugin has access to it (as a global, by passed-in reference, or otherwise). Regardless, I'm assuming that munging globals from plugins is bad behavior that'll eventually break. That said, I much prefer a solution that won't require a patch, so I'm willing to go that route for 1.5.
I'm assuming that getting a patch included in the mainline 1.5 release is pretty tough at this point, which is fine. I'm hoping to target a patch for the release after, if we agree that one is needed for clean integration. In the meantime, I'll work around the issue for 1.5.
I've included the patch thus far, which is against CVS head.
Rob
Rob Lanphier wrote:
- (my current approach) add call to AuthPlugin::setCanonicalName in
User::newFromName. I coded this last night, and it seems to work pretty well, but does require a patch.
Open up an enhancement on bugzilla and post this patch. :)
(Patches don't generally survive the mailing list filters. We've got most attachments disabled due to a few past incidences with virus attachments getting through.)
I'm assuming that getting a patch included in the mainline 1.5 release is pretty tough at this point, which is fine. I'm hoping to target a patch for the release after, if we agree that one is needed for clean integration. In the meantime, I'll work around the issue for 1.5.
If it's small, to the point, non-invasive, and bug-free then yes I'd love to see it in.
-- brion viber (brion @ pobox.com)
Rob Lanphier wrote:
I'm in the process of writing a AuthPlugin for bbPress, so that the WordPress folks can do single sign-on between their user forums and their MediaWiki install. First release is here: http://codex.wordpress.org/User:RobLa/bbPress_Auth_for_MediaWiki
One thing I'm having trouble with is the case sensitivity issue. bbPress isn't case sensitive. MediaWiki is. This makes logging in relatively simple. As it turns out, I accidentally leveraged SQLs default case-insensitivity in my first crack at this.
I've thought about this issue before (when a friend asked me if one could make article titles entirely case-insensitive).
Personally, I believe the best approach would be the following. Have all the names (article titles in the 'page' table in his case, usernames in the 'user' table in your case) be entirely lower-case and define that as the "canonical form". Then when someone tries to log in as "RobLA" it will search for "robla" and find it.
Then add another column to that table, 'displayname' or something, which contains the username with the capitalisation the user prefers. In Recent Changes, Watchlists, Histories, everything where a username is shown, you use that, but in URLs you use the lower-case form.
Personally, I would prefer if usernames on Wikipedia were entirely case-insensitive. Then again, I think article titles should be case-insensitive too, but that would be quite a radical change.
Timwi
Timwi wrote:
Rob Lanphier wrote:
I'm in the process of writing a AuthPlugin for bbPress, so that the WordPress folks can do single sign-on between their user forums and their MediaWiki install. First release is here: http://codex.wordpress.org/User:RobLa/bbPress_Auth_for_MediaWiki
One thing I'm having trouble with is the case sensitivity issue. bbPress isn't case sensitive. MediaWiki is. This makes logging in relatively simple. As it turns out, I accidentally leveraged SQLs default case-insensitivity in my first crack at this.
I've thought about this issue before (when a friend asked me if one could make article titles entirely case-insensitive).
Personally, I believe the best approach would be the following. Have all the names (article titles in the 'page' table in his case, usernames in the 'user' table in your case) be entirely lower-case and define that as the "canonical form". Then when someone tries to log in as "RobLA" it will search for "robla" and find it.
Then add another column to that table, 'displayname' or something, which contains the username with the capitalisation the user prefers. In Recent Changes, Watchlists, Histories, everything where a username is shown, you use that, but in URLs you use the lower-case form.
Personally, I would prefer if usernames on Wikipedia were entirely case-insensitive. Then again, I think article titles should be case-insensitive too, but that would be quite a radical change.
Timwi
Hoi, As the wiktionaries have turned off first character capitalisation, it is impossible to have case insensitive articles. It would have a disastrous effect if case insensitivity was imposed.
From a securtiy point of view passwords are not great at the best of times. When you decrease their usefullness by half by imposing on capitalised versions of passwords than you have implemented a detoration of the implemented security. When you have case insensitive passwords for bbPress and case sensitive passwords for Mediawiki, it is more or less Ok, I trust you allow for the changing of passwords..
Thanks, GerardM
Hi Tim,
Thanks for the feedback. Since Brion incorporated my patch (thanks Brion!), I've got a lot of flexibility in how to approach this, including the approach that you suggest.
I'm to the point where we should take the conversation to the MediaWiki/WordPress integration list, since they are the customers of this feature: http://lists.automattic.com/mailman/listinfo/wiki-tech
Please direct follow-ups to that list instead of wikitech-l.
For those just joining us, here's the thread so far: http://mail.wikipedia.org/pipermail/wikitech-l/2005-July/thread.html#30861
Comments inline:
On Sun, 2005-07-24 at 11:32 +0100, Timwi wrote:
Rob Lanphier wrote:
I'm in the process of writing a AuthPlugin for bbPress, so that the WordPress folks can do single sign-on between their user forums and their MediaWiki install. First release is here: http://codex.wordpress.org/User:RobLa/bbPress_Auth_for_MediaWiki
One thing I'm having trouble with is the case sensitivity issue. bbPress isn't case sensitive. MediaWiki is. This makes logging in relatively simple. As it turns out, I accidentally leveraged SQLs default case-insensitivity in my first crack at this.
I've thought about this issue before (when a friend asked me if one could make article titles entirely case-insensitive).
Personally, I believe the best approach would be the following. Have all the names (article titles in the 'page' table in his case, usernames in the 'user' table in your case) be entirely lower-case and define that as the "canonical form". Then when someone tries to log in as "RobLA" it will search for "robla" and find it.
Then add another column to that table, 'displayname' or something, which contains the username with the capitalisation the user prefers. In Recent Changes, Watchlists, Histories, everything where a username is shown, you use that, but in URLs you use the lower-case form.
Here's how I'm solving it for now. I'm letting the user use whatever case they want for their first login. So, if "robla" signs in as "RobLa" on the first time, a new MediaWiki user table entry with "RobLa" in the user_name field is created.
On the second and subsequent tries, the login portion isn't case sensitive. So, I can still log in as "robla" or "RoBlA", and it'll blissfully accept it (passwords are another story, always case sensitive as they should be). However, when AuthPlugin::getCanonicalName is called, it'll return the first (and presumably only) instance of "robla" in the /MediaWiki/ database, by making this call: $res = $dbr->selectRow('user', array("user_name"), "lower(user_name)=lower(". $dbr->addQuotes($username).")", "AuthBBPress::getCanonicalName" );
Thus, if "RobLa" was what I used the first time, it'll show that I'm logged in as "RobLa" now, regardless of what case I filled in subsequent login attempts.
This works particularly well for folks that are migrating to single sign-on, since this works for whatever case was chosen in the legacy accounts, while still making it possible to only have one representation of that combination of letters.
It's not a perfect scheme. People probably won't realize just how important it is that the first login attempt use the case combo that they want to live with. In fact, just to avoid MediaWiki problems, I'm leaving the automatic first letter transition of "robla" to "Robla" intact. However, there doesn't seem to be any sense in making a preference or a new database entry, since the case of login names in MediaWiki isn't easily mutable once created.
The very nice part about this is that there are now no further patches to MediaWiki required. A stock MediaWiki 1.5 install will work out of the box
Rob
wikitech-l@lists.wikimedia.org