On 16/02/12 09:51, Nicolas Brouard INED wrote:
Thanks to Platonides for his comment and also to
Olivier (the author of the Realnames extension) who told me to forward the following patch
to wikitech-l (which I just subscribed to) for advices, comments and critics.
I was just wondering if this small patch in User.php (function idFromName) was enough in
most cases:
$dbr = wfGetDB( DB_SLAVE );
$s = $dbr->selectRow( 'user', array( 'user_id' ), array(
'user_name' => $nt->getText() ), __METHOD__ );
if ( $s === false ) {
//Start Patch $result = null;
$stwo = $dbr->selectRow( 'user', array( 'user_id' ), array(
'user_email' => $nt->getText() ), __METHOD__ );
if ( $stwo === false ) {
$result = null;
}else {
$result = $stwo->user_id;
}
//End patch
} else {
$result = $s->user_id;
}
This is only patching User::idFromName(), which won't be enough.
You could well be storing the email instead of the username in the page
history.
As I said, you should fix it in SpecialUserlogin.php.
Then, just try to enter your e-mail on a standard wiki
in place of your username and you will be authenticated to the first ID (and user_name)
having your e-mail.
The importance of e-mails as a simple way to authenticate on modern sites can't be
ignored.
It can also expose the fact that someone is registered there with that
email address.
In the patch provided, it would also happily show under some
circunstances the username associated to an email (not a problem for the
internal wiki of a company, where everybody know each other's mail, an
issue for public wikis out there).
If you want to enter your standard username for
authentication you can do it too.
But if your username is not a Roman but an Arabic, Thai, Japanese etc. username or even a
French username with accents and if you decided to have authorship recognized in your own
language and not only in a English transliterated way, you can also do it with as standard
mediawiki installation. But if you are working with somebody who has an English keyboard
only, the copy-paste of your Unicode username may be tedious and you would prefer to enter
your e-mail address.
The modified Login form could be:
Username (or e-mail address): |___________________|
Password: |___________________|
Changing the text displayed there is trivial (edit MediaWiki:yourname).
If someone could test this patch above and report the
security issues as well as performances, it could be great for us.
We are managing
Demopaedia.org and are willing to open the site to professional
demographers (being already subscribed to a national or international union for the
scientific study of population). We will not use various LDAP authentication processes but
use local standard mediawiki databases. The usual way to be authenticated is the e-mail
and password, and we want to keep this option. If you look (for example) at the work of
Mikael, his work is authored in Cyrillic: Михаил Денисенко on
http://ru-ii.demopaedia.org/w/index.php?title=90&action=historytory, other Russian authors
use the transliteration. It is a question of taste.
If Mikael is traveling and doesn't have a Cyrillic keyboard, he would be pleased to
enter his email to authenticate. The password to be entered is the password linked with
his username.
For people having multiple usernames (pseudos) with the same e-mail but different
passwords for each, a better patch could be to test the password entered and to link with
the unique username. But I am not an expert in mediawiki and php and don't know how to
get the password within the function idFromName.
I understand that e-mails should not be revealed and the above patch satisfies this
condition.
Comments, advices, critics, code are welcome.
Nicolas