https://bugzilla.wikimedia.org/show_bug.cgi?id=30636
--- Comment #15 from Gregor Hagedorn <[email protected]> 2011-09-24 05:04:20 UTC --- (In reply to comment #12) > The biggest problem is the complete lack of logging: this system effectively > gives people carte blanche to access other users' accounts since they can > simply change the password silently and then log in as the user. Although the > user themselves knows that their account has been hijacked because the You are presenting the use case of a large open community wiki with self-registering and self-managing users, like Wikipedia. This extensions is not installed there, lack of logging is a good reason. The use case where this extension is needed is mediawiki installations with managed users. Typically users are not creating their accounts themselves, an admin has done it for for them. Often a substantial fraction of users has only limited training for specific tasks, not full understanding of mediawiki special pages. Replacing forgotten passwords is an admin responsibility. While logging would be nice, it is not absolutely required. > Overall, I don't think the remaining functionality of this extension should be > put into core, and I'm not particularly enamoured with it as an extension > either. At most, I can fix the name collision by renaming the special page in > the extension to ResetUserPassword or somesuch. But I'd rather delete it > altogether unless presented with a justifiable usecase. If changing the special page name of the extension is the best possible solution, it is better than to break all managed mediawiki installations. There are doubtlessly many extensions outside of the WMF managed SVN repository, and respecting their special page names is not expected. I am not sure, however, why mw core must break a mediawiki.org SVN managed extension without a good reason. If there is a good reason that the core page must be the preoccupied "PasswordReset" instead of the (to my knowledge) available "ResetPassword" then please change the extension special page name. In the longer term, merging third-party-password-reset-functionality into core, while adding a logging function would be welcome. But here I am only concerned with in-house installations being able to the soon-to-be-released 1.18. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
