Hi, This shouldn't affect very many installations as CentralAuth is very WMF-specific but letting everyone know that a fix for CentralAuth has just been released.
It allowed user impersonation by a combination of the apioutput.js (used for api.php output customization) and the central auth cookie. The bug is: https://phabricator.wikimedia.org/T144573 The gerrit change is: https://gerrit.wikimedia.org/r/#/c/333316/ -Chad _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l