https://bugzilla.wikimedia.org/show_bug.cgi?id=55639
Kunal Mehta (Legoktm) <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #2 from Kunal Mehta (Legoktm) <[email protected]> --- (In reply to comment #1) > What exactly are you trying to do? As comment 0 explains, the extension is currently screenscraping (Ew), and should use the API instead. > > From > http://en.illogicopedia.org/wiki/Forum:Really,_seriously,_actually_moving, > _for_real_this_time > it would very much appear that you are prompting for username and password, > then using these credentials to log onto some other server which is not > yours. > Once there, you seem to be trying to ask for individual user's e-mail, real > name or personal info by claiming to be that user. Yes, that is basically what the MediaWikiAuth extension does. > If so, that's really not the way that MW is intended to work and, from a > security standpoint, is a really questionable way of doing things. Okay. > There is a proper way of handling this sort of authentication without having > users give you (wittingly or unwittingly) their password from some other > server. You might want to look at the way the TUSC accounts are created, for > instance - the user logs onto the original server and places some sort of > token > on their page there to indicate they're the same person requesting a new > password. A similar approach was used to match Wikitravel users to the same > user on Wikivoyage - even though the former is abusing > [[mw:extension:AbuseFilter]] to ban all mention of WV. Cool. Feel free to write an extension that transparently takes care of all of this. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
