jenkins-bot has submitted this change and it was merged.

Change subject: Add $OpenIDConnect_MigrateUsersByEmail configuration parameter
......................................................................


Add $OpenIDConnect_MigrateUsersByEmail configuration parameter

This provides an alternative to $OpenIDConnect_MigrateUsers where users are
migrated by matching their full email to that of an existing user, rather than
by their preferred_username (which is not set for Google). If multiple accounts
used the email address currently logged in, the older account will be chosen.

This setting should be more secure than the MigrateUsers setting, since emails
should be unique identifiers. However, it would still be desirable to ask for
some credentials for the merged account.

Change-Id: Ia7a1b69e4204812ec9e47f87b8a402596f34e90b
---
M OpenIDConnect.php
M extension.json
2 files changed, 44 insertions(+), 9 deletions(-)

Approvals:
  Cicalese: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/OpenIDConnect.php b/OpenIDConnect.php
index 1af6e23..f300719 100644
--- a/OpenIDConnect.php
+++ b/OpenIDConnect.php
@@ -166,11 +166,18 @@
                                        return true;
                                }
 
-                               if ( $GLOBALS['wgOpenIDConnect_MigrateUsers'] 
=== true ) {
-                                       $id = $this->getMigratedId( 
$preferred_username );
+                               if( 
$GLOBALS['wgOpenIDConnect_MigrateUsersByEmail'] === true ) {
+                                       list ( $id, $username ) = 
$this->getMigratedIdByEmail( $email );
                                        if ( !is_null( $id ) ) {
                                                $this->saveExtraAttributes( $id 
);
-                                               wfDebug( "Migrated user: " . 
$preferred_username );
+                                               wfDebug( "Migrated user " . 
$username . " by email: " . $email );
+                                               return true;
+                                       }
+                               } elseif ( 
$GLOBALS['wgOpenIDConnect_MigrateUsersByUserName'] === true ) {
+                                       $id = $this->getMigratedIdByUserName( 
$preferred_username );
+                                       if ( !is_null( $id ) ) {
+                                               $this->saveExtraAttributes( $id 
);
+                                               wfDebug( "Migrated user by 
username: " . $preferred_username );
                                                $username = $preferred_username;
                                                return true;
                                        }
@@ -257,9 +264,9 @@
                }
        }
 
-       private static function getMigratedId( $username ) {
+       private static function getMigratedIdByUserName( $username ) {
                $nt = Title::makeTitleSafe( NS_USER, $username );
-               if ( $nt === null ) {
+               if ( is_null( $nt ) ) {
                        return null;
                }
                $username = $nt->getText();
@@ -270,12 +277,40 @@
                                'user_name' => $username,
                                'subject' => null,
                                'issuer' => null
-                       ], __METHOD__
+                       ],
+                       __METHOD__
                );
                if ( $row === false ) {
                        return null;
                } else {
                        return $row->user_id;
+               }
+       }
+
+       private static function getMigratedIdByEmail( $email ) {
+               wfDebug( "Matching user to email " . $email );
+               $dbr = wfGetDB( DB_SLAVE );
+               $row = $dbr->selectRow( 'user',
+                       [
+                               'user_id',
+                               'user_name'
+                       ],
+                       [
+                               'user_email' => $email,
+                               'subject' => null,
+                               'issuer' => null
+                       ],
+                       __METHOD__,
+                       [
+                               // if multiple matching accounts, use the 
oldest one
+                               'ORDER BY' => 'user_registration',
+                               'LIMIT' => 1
+                       ]
+               );
+               if ( $row === false ) {
+                       return [ null, null ];
+               } else {
+                       return [ $row->user_id, $row->user_name ];
                }
        }
 
@@ -354,4 +389,3 @@
                $GLOBALS['wgWhitelistRead'][] = 
'Special:SelectOpenIDConnectIssuer';
        }
 }
-
diff --git a/extension.json b/extension.json
index 87e76f7..d1cf213 100644
--- a/extension.json
+++ b/extension.json
@@ -1,6 +1,6 @@
 {
        "name": "OpenID Connect",
-       "version": "2.3",
+       "version": "3.0",
        "author": [
                "[https://www.mediawiki.org/wiki/User:Cindy.cicalese Cindy 
Cicalese]"
        ],
@@ -27,7 +27,8 @@
                "LoadExtensionSchemaUpdates": 
"OpenIDConnect::loadExtensionSchemaUpdates"
        },
        "config": {
-               "OpenIDConnect_MigrateUsers": false,
+               "OpenIDConnect_MigrateUsersByEmail": false,
+               "OpenIDConnect_MigrateUsersByUserName": false,
                "OpenIDConnect_ForceLogout": false,
                "OpenIDConnect_UseRealNameAsUserName": false,
                "OpenIDConnect_UseEmailNameAsUserName": false,

-- 
To view, visit https://gerrit.wikimedia.org/r/277483
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ia7a1b69e4204812ec9e47f87b8a402596f34e90b
Gerrit-PatchSet: 6
Gerrit-Project: mediawiki/extensions/OpenIDConnect
Gerrit-Branch: master
Gerrit-Owner: Quantum7 <quant...@gmail.com>
Gerrit-Reviewer: Cicalese <cical...@mitre.org>
Gerrit-Reviewer: Legoktm <legoktm.wikipe...@gmail.com>
Gerrit-Reviewer: Paladox <thomasmulhall...@yahoo.com>
Gerrit-Reviewer: Quantum7 <quant...@gmail.com>
Gerrit-Reviewer: Reedy <re...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to