-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 8/2/2010 7:18 PM, [email protected] wrote: > Say, I noticed on Wikia one can make a user an administrator, even if he > has never logged in yet. > > This exposes a security risk. A bureaucrat pre-makes some accounts for > future administrators, but before they establish accounts, somebody else > establishes an account with that name, and becomes an instant > administrator. > > I'm wondering if the is a MediaWiki-wide bug, or just Wikia's.
Wikia bug if they're doing something stupid like populating the user groups table without a corresponding user. MediaWiki wont let you assign groups to users that don't exist. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJMV2E2AAoJEL+AqFCTAyc2c6oIAJkC9sDm+w6IVCYdQ8/iYdbd Zd2z2tz+AJCE+ZNa6BFb3dCEl1yUcpp0D4b0iRA2Cn0AgjTXQuz0wSsVT6MTiSI1 1OM2D9Tlv/xoY0PotVevIFuCaO4XKIzkAUpWR8Htc0rhh8f1+Lo7k668iG4yWIFS iSBlHdsG5G+Ugqk9IbCRm9jErL8WkGUz/D5b9KD7Azu8CtCOSCowOz3qvuJNT7z+ KgDQCp4aavl7FZEDYhqxjYQPWIDsHI7d3nBoD713vpjfSCroYkrDa9v0ZqlMRTFw agL1XBG+7fanaz0iIqDcOxrgIUL1AqEXNtEt32frKrE546euRhb+sFyIVFhJxBI= =5hTF -----END PGP SIGNATURE----- _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
