On 16/02/12 09:51, Nicolas Brouard INED wrote:
Thanks to Platonides for his comment and also to Olivier (the author of the Realnames extension) who told me to forward the following patch to wikitech-l (which I just subscribed to) for advices, comments and critics.
I was just wondering if this small patch in User.php (function idFromName) was enough in most cases:
$dbr = wfGetDB( DB_SLAVE ); $s = $dbr->selectRow( 'user', array( 'user_id' ), array( 'user_name' => $nt->getText() ), __METHOD__ ); if ( $s === false ) { //Start Patch $result = null; $stwo = $dbr->selectRow( 'user', array( 'user_id' ), array( 'user_email' => $nt->getText() ), __METHOD__ ); if ( $stwo === false ) { $result = null; }else { $result = $stwo->user_id; } //End patch } else { $result = $s->user_id; }
This is only patching User::idFromName(), which won't be enough. You could well be storing the email instead of the username in the page history.
As I said, you should fix it in SpecialUserlogin.php.
Then, just try to enter your e-mail on a standard wiki in place of your username and you will be authenticated to the first ID (and user_name) having your e-mail.
The importance of e-mails as a simple way to authenticate on modern sites can't be ignored.
It can also expose the fact that someone is registered there with that email address. In the patch provided, it would also happily show under some circunstances the username associated to an email (not a problem for the internal wiki of a company, where everybody know each other's mail, an issue for public wikis out there).
If you want to enter your standard username for authentication you can do it too.
But if your username is not a Roman but an Arabic, Thai, Japanese etc. username or even a French username with accents and if you decided to have authorship recognized in your own language and not only in a English transliterated way, you can also do it with as standard mediawiki installation. But if you are working with somebody who has an English keyboard only, the copy-paste of your Unicode username may be tedious and you would prefer to enter your e-mail address.
The modified Login form could be:
Username (or e-mail address): |___________________| Password: |___________________|
Changing the text displayed there is trivial (edit MediaWiki:yourname).
If someone could test this patch above and report the security issues as well as performances, it could be great for us. We are managing Demopaedia.org and are willing to open the site to professional demographers (being already subscribed to a national or international union for the scientific study of population). We will not use various LDAP authentication processes but use local standard mediawiki databases. The usual way to be authenticated is the e-mail and password, and we want to keep this option. If you look (for example) at the work of Mikael, his work is authored in Cyrillic: Михаил Денисенко on http://ru-ii.demopaedia.org/w/index.php?title=90&action=history, other Russian authors use the transliteration. It is a question of taste.
If Mikael is traveling and doesn't have a Cyrillic keyboard, he would be pleased to enter his email to authenticate. The password to be entered is the password linked with his username. For people having multiple usernames (pseudos) with the same e-mail but different passwords for each, a better patch could be to test the password entered and to link with the unique username. But I am not an expert in mediawiki and php and don't know how to get the password within the function idFromName.
I understand that e-mails should not be revealed and the above patch satisfies this condition.
Comments, advices, critics, code are welcome.
Nicolas