https://bugzilla.wikimedia.org/show_bug.cgi?id=30636
--- Comment #12 from Happy-melon <[email protected]> 2011-09-23 21:03:30 UTC --- To be honest, this extension a) scares me, and b) provides relatively little functionality that is not already available in core as of 1.18. The biggest problem is the complete lack of logging: this system effectively gives people carte blanche to access other users' accounts since they can simply change the password silently and then log in as the user. Although the user themselves knows that their account has been hijacked because the password has changed, there is no way they can possibly prove that they are *not* in control of the account (can't prove a negative, and all that). Basic principles of security dictate that it should be very hard if not impossible to justify someone knowing someone else's plaintext password, even administrators of internal wikis. Overall, I don't think the remaining functionality of this extension should be put into core, and I'm not particularly enamoured with it as an extension either. At most, I can fix the name collision by renaming the special page in the extension to ResetUserPassword or somesuch. But I'd rather delete it altogether unless presented with a justifiable usecase. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
