Page MenuHomePhabricator
Create Task
Maniphest T196386

MediaWiki should prevent username registration if the username previously existed
Closed, ResolvedPublic
Actions

Assigned To
matmarex
Authored By
Bawolff
Jun 4 2018, 4:16 PM
Project Tags
Referenced Files
F75881757: 0001-Prevent-username-registration-if-the-username-previo.patch
Apr 13 2026, 9:27 PM
F75881738: 0001-Prevent-username-registration-if-the-username-previo.patch
Apr 13 2026, 9:27 PM
Subscribers
A_smart_kitten
Aklapper
Bawolff
gerritbot
Johannnes89
Ladsgroup
Legoktm
View All 13 Subscribers

Description

See T194204.

Its a problem with spoofing usernames, as well as people loading JS from old usernames.

Sometimes its important to create such accounts, so its important to be able to override (which antispoof already supports)

Details

Related Changes in Gerrit:
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

Bawolff created this task.Jun 4 2018, 4:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 4 2018, 4:16 PM
Aklapper added a project: AntiSpoof.Jun 4 2018, 4:26 PM
Bawolff added a subscriber: MarcoAurelio.Jun 13 2018, 1:04 AM

This got deployed.

It was pointed out the solution only works for renames after 2014. Special:log/renameuser goes back earlier than that, but its hard to use as its not unified, and log_title becomes messed up by later renames.

Leaving this open for now, well we figure out if we have to do anything related to mediawiki security release for this task.

Bawolff triaged this task as High priority.Jul 9 2018, 11:07 PM
Bawolff added a parent task: T181665: Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release.

See 867b0d77945635093416f51966b83327c24b7af6

Perhaps we need to also do something for plain ol' fashioned non-CA user renames.

Legoktm mentioned this in T199021: Release MediaWiki 1.27.5/1.29.3/1.30.1/1.31.1.Aug 29 2018, 12:55 AM
Legoktm subscribed.Aug 29 2018, 12:57 AM

A similar patch should be made in either Renameuser or AntiSpoof for normal non-CA renames since most people don't use CA. I'm removing this as a security release blocker since this doesn't affect any tarball bundled functionality.

Legoktm edited parent tasks, added: T191736: Bundle AntiSpoof extension with MediaWiki; removed: T181665: Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release.Aug 29 2018, 12:57 AM
MarcoAurelio renamed this task from Antispoof should prevent username registration if the username previously exist to Antispoof should prevent username registration if the username previously existed.Aug 29 2018, 8:50 PM
Ladsgroup subscribed.Oct 27 2018, 10:25 AM

This doesn't work: https://meta.wikimedia.org/w/api.php?action=antispoof&username=%20Akuski&format=json

Ladsgroup added a comment.Oct 27 2018, 11:21 AM
In T196386#4699616, @Ladsgroup wrote:

This doesn't work: https://meta.wikimedia.org/w/api.php?action=antispoof&username=%20Akuski&format=json

Correction: It works but only for registering new users and not any other anti-spoof functionality.

chasemp added a project: Security.Feb 10 2020, 10:54 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:05 PM
Dsharpe added a subscriber: Zabe.Feb 27 2022, 1:15 AM
matmarex mentioned this in T321482: AntiSpoof shows a nonsensical message for renamed usernames.Sep 3 2025, 10:28 PM
matmarex mentioned this in T183212: Javascript and CSS pages redirected after rename can be taken over by a newly registered user with the old name.Mar 23 2026, 6:38 PM
matmarex claimed this task.Apr 13 2026, 3:44 PM
matmarex added subscribers: sbassett, matmarex.

Since this task was filed, the Renameuser extension has been merged into core (T27482), so I think core is now a better place to put this feature than AntiSpoof. It also makes the implementation simpler.

I've been working on a patch, but I wonder, perhaps it could be submitted publicly to Gerrit. This task has been open for 8 years now, with a workaround patch merged in CentralAuth (439496), and has been discussed in other public tasks (e.g. T321482).

Could we make this task public as well? (CC @sbassett)

Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptApr 13 2026, 3:44 PM
matmarex added a project: Patch-For-Review.Apr 13 2026, 9:27 PM

Proposed patches (I will submit to Gerrit instead if this task becomes public):

core
0001-Prevent-username-registration-if-the-username-previo.patch23 KBDownload
CentralAuth
0001-Prevent-username-registration-if-the-username-previo.patch20 KBDownload

This will also fix T364330 and T321482.

sbassett added a subscriber: gerritbot.Apr 14 2026, 6:23 PM
In T196386#11815156, @matmarex wrote:

I've been working on a patch, but I wonder, perhaps it could be submitted publicly to Gerrit. This task has been open for 8 years now, with a workaround patch merged in CentralAuth (439496), and has been discussed in other public tasks (e.g. T321482).

Could we make this task public as well? (CC @sbassett)

Yeah, I think that's fine. I'll go ahead and make this public.

sbassett lowered the priority of this task from High to Medium.Apr 14 2026, 6:24 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
gerritbot added a comment.Apr 14 2026, 8:52 PM

Change #1271055 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/core@master] Prevent username registration if the username previously existed

https://gerrit.wikimedia.org/r/1271055

gerritbot added a comment.Apr 14 2026, 8:55 PM

Change #1271058 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/CentralAuth@master] Prevent username registration if the username previously existed (v2)

https://gerrit.wikimedia.org/r/1271058

matmarex added a project: MediaWiki-Platform-Team (Kanban Board).Apr 14 2026, 9:01 PM
matmarex moved this task from Essential Work to In Progress on the MediaWiki-Platform-Team (Kanban Board) board.
Novem_Linguae subscribed.Apr 14 2026, 9:02 PM
matmarex renamed this task from Antispoof should prevent username registration if the username previously existed to MediaWiki should prevent username registration if the username previously existed.Apr 14 2026, 9:05 PM
matmarex removed a parent task: T191736: Bundle AntiSpoof extension with MediaWiki.
matmarex edited projects, added: MediaWiki-User-rename, MediaWiki-extensions-CentralAuth; removed: AntiSpoof.
matmarex added parent tasks: Restricted Task, T321482: AntiSpoof shows a nonsensical message for renamed usernames.Apr 14 2026, 9:08 PM
matmarex added a parent task: T209760: More specific error messages when user rename fails AntiSpoof.Apr 16 2026, 10:33 PM
matmarex mentioned this in T209760: More specific error messages when user rename fails AntiSpoof.
matmarex added a parent task: T183212: Javascript and CSS pages redirected after rename can be taken over by a newly registered user with the old name.Apr 17 2026, 6:32 PM
A_smart_kitten subscribed.Apr 18 2026, 3:23 PM
gerritbot added a comment.May 7 2026, 11:03 PM

Change #1271055 merged by jenkins-bot:

[mediawiki/core@master] Prevent username registration if the username previously existed

https://gerrit.wikimedia.org/r/1271055

gerritbot added a comment.May 7 2026, 11:03 PM

Change #1271058 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Prevent username registration if the username previously existed (v2)

https://gerrit.wikimedia.org/r/1271058

ReleaseTaggerBot added a project: MW-1.47-notes (1.47.0-wmf.2; 2026-05-12).May 8 2026, 12:00 AM
Nemoralis added a project: User-notice.May 8 2026, 8:16 AM
STei-WMF added subscribers: Nemoralis, STei-WMF.EditedMay 8 2026, 4:03 PM

@Nemoralis hello, I am responding to the usernotice tag :)
How should this update be worded for Tech News?

matmarex added a comment.May 8 2026, 9:23 PM

I'm not sure if User-notice in Tech News is necessary here, as this is not a significant change for Wikimedia wikis – reusing previously renamed usernames was already disallowed since @Bawolff's first patch on this task in 2018 (T196386#4410039). My changes only improve the error messages you get if you try, and clarify the interface for overriding this limitation (available to sysops, account creators, stewards etc.). I'd be happy to write one if you think it's valuable (@Nemoralis @STei-WMF).

Maybe I should add a release note for MediaWiki 1.47 though, since this will be something new for third-party users (assuming they don't use CentralAuth).

I should also grant the new right to override this to some of the groups which currently have the override-antispoof right (local and global).

gerritbot added a comment.May 8 2026, 9:51 PM

Change #1285444 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/core@master] RenameUser: Treat "previously-renamed-account" as a warning, not error

https://gerrit.wikimedia.org/r/1285444

gerritbot added a comment.May 8 2026, 9:51 PM

Change #1285445 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/core@master] Add release note about account creation with renamed usernames

https://gerrit.wikimedia.org/r/1285445

gerritbot added a comment.May 8 2026, 10:10 PM

Change #1285448 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[operations/mediawiki-config@master] Grant 'createpreviouslyrenamedaccount' to account creators and sysop-likes

https://gerrit.wikimedia.org/r/1285448

matmarex added a comment.May 8 2026, 10:37 PM

I'll schedule the config changes for Monday (and also backports of the patches, to avoid confusing appearance of user rights): https://wikitech.wikimedia.org/wiki/Deployments#deploycal-item-20260511T1300

gerritbot added a comment.May 8 2026, 10:48 PM

Change #1285460 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/core@wmf/1.47.0-wmf.1] Prevent username registration if the username previously existed

https://gerrit.wikimedia.org/r/1285460

gerritbot added a comment.May 8 2026, 10:49 PM

Change #1285461 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/CentralAuth@wmf/1.47.0-wmf.1] Prevent username registration if the username previously existed (v2)

https://gerrit.wikimedia.org/r/1285461

gerritbot added a comment.May 11 2026, 1:34 PM

Change #1285460 merged by jenkins-bot:

[mediawiki/core@wmf/1.47.0-wmf.1] Prevent username registration if the username previously existed

https://gerrit.wikimedia.org/r/1285460

gerritbot added a comment.May 11 2026, 1:34 PM

Change #1285461 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.47.0-wmf.1] Prevent username registration if the username previously existed (v2)

https://gerrit.wikimedia.org/r/1285461

Stashbot added a comment.May 11 2026, 1:38 PM

Mentioned in SAL (#wikimedia-operations) [2026-05-11T13:38:44Z] <lucaswerkmeister-wmde@deploy1003> Started scap sync-world: Backport for [[gerrit:1285460|Prevent username registration if the username previously existed (T196386)]], [[gerrit:1285461|Prevent username registration if the username previously existed (v2) (T196386)]], [[gerrit:1285462|API: Introduce list=globalusers (T261752)]], [[gerrit:1285761|list=globalusers: Avoid querying group permissions with empty group list (T

Stashbot mentioned this in T261752: Add an API module to display status of multiple globally locked users.May 11 2026, 1:38 PM
ReleaseTaggerBot edited projects, added: MW-1.47-notes (1.47.0-wmf.1; 2026-05-05); removed: MW-1.47-notes (1.47.0-wmf.2; 2026-05-12).May 11 2026, 2:00 PM
Stashbot added a comment.May 11 2026, 2:04 PM

Mentioned in SAL (#wikimedia-operations) [2026-05-11T14:04:32Z] <lucaswerkmeister-wmde@deploy1003> matmarex, lucaswerkmeister-wmde: Backport for [[gerrit:1285460|Prevent username registration if the username previously existed (T196386)]], [[gerrit:1285461|Prevent username registration if the username previously existed (v2) (T196386)]], [[gerrit:1285462|API: Introduce list=globalusers (T261752)]], [[gerrit:1285761|list=globalusers: Avoid querying group permissions with empty group

Stashbot added a comment.May 11 2026, 2:18 PM

Mentioned in SAL (#wikimedia-operations) [2026-05-11T14:18:07Z] <lucaswerkmeister-wmde@deploy1003> Finished scap sync-world: Backport for [[gerrit:1285460|Prevent username registration if the username previously existed (T196386)]], [[gerrit:1285461|Prevent username registration if the username previously existed (v2) (T196386)]], [[gerrit:1285462|API: Introduce list=globalusers (T261752)]], [[gerrit:1285761|list=globalusers: Avoid querying group permissions with empty group list (

gerritbot added a comment.May 11 2026, 2:20 PM

Change #1285448 merged by jenkins-bot:

[operations/mediawiki-config@master] Grant 'createpreviouslyrenamedaccount' to account creators and sysop-likes

https://gerrit.wikimedia.org/r/1285448

Stashbot mentioned this in T425785: TypeError: experiment.send is not a function.May 11 2026, 2:20 PM

Mentioned in SAL (#wikimedia-operations) [2026-05-11T14:20:38Z] <lucaswerkmeister-wmde@deploy1003> Started scap sync-world: Backport for [[gerrit:1285448|Grant 'createpreviouslyrenamedaccount' to account creators and sysop-likes (T196386)]], [[gerrit:1278704|WikiLambdaApi: update stream configuration (T415254)]], [[gerrit:1285352|WikiLambdaApi instrument: Sets the custom schemaID (T415254)]], [[gerrit:1285406|editSaves: getExperiment returns a promise now (T425785)]]

Stashbot mentioned this in T415254: Migrate "WikiLambda API" instrument to use the Test Kitchen SDK.May 11 2026, 2:20 PM
Stashbot added a comment.May 11 2026, 2:26 PM

Mentioned in SAL (#wikimedia-operations) [2026-05-11T14:26:18Z] <lucaswerkmeister-wmde@deploy1003> lucaswerkmeister-wmde, jforrester, matmarex, sfaci: Backport for [[gerrit:1285448|Grant 'createpreviouslyrenamedaccount' to account creators and sysop-likes (T196386)]], [[gerrit:1278704|WikiLambdaApi: update stream configuration (T415254)]], [[gerrit:1285352|WikiLambdaApi instrument: Sets the custom schemaID (T415254)]], [[gerrit:1285406|editSaves: getExperiment returns a promise now

Stashbot added a comment.May 11 2026, 2:39 PM

Mentioned in SAL (#wikimedia-operations) [2026-05-11T14:39:28Z] <lucaswerkmeister-wmde@deploy1003> Finished scap sync-world: Backport for [[gerrit:1285448|Grant 'createpreviouslyrenamedaccount' to account creators and sysop-likes (T196386)]], [[gerrit:1278704|WikiLambdaApi: update stream configuration (T415254)]], [[gerrit:1285352|WikiLambdaApi instrument: Sets the custom schemaID (T415254)]], [[gerrit:1285406|editSaves: getExperiment returns a promise now (T425785)]] (duration: 18

matmarex added a comment.May 11 2026, 3:26 PM

Updated global groups too: https://meta.wikimedia.org/wiki/Special:Log?type=gblrights&user=Bartosz+Dziewoński+(WMF)&wpdate=2026-05-11&subtype=groupprms&limit=3

STei-WMF added a comment.Wed, May 13, 4:10 PM

@matmarex I will skip this then. Thanks for explaining!

gerritbot added a comment.Mon, May 18, 11:01 PM

Change #1285444 merged by jenkins-bot:

[mediawiki/core@master] RenameUser: Treat "previously-renamed-account" as a warning, not error

https://gerrit.wikimedia.org/r/1285444

gerritbot added a comment.Mon, May 18, 11:02 PM

Change #1285445 merged by jenkins-bot:

[mediawiki/core@master] Add release note about account creation with renamed usernames

https://gerrit.wikimedia.org/r/1285445

ReleaseTaggerBot edited projects, added: MW-1.47-notes (1.47.0-wmf.3; 2026-05-19); removed: MW-1.47-notes (1.47.0-wmf.1; 2026-05-05).Tue, May 19, 12:01 AM
STei-WMF removed a project: User-notice.Wed, May 20, 6:38 PM
STei-WMF unsubscribed.
matmarex closed this task as Resolved.Wed, May 20, 10:03 PM
matmarex removed a project: Patch-For-Review.
matmarex mentioned this in T426917: Display another warning message when renaming an account to a username whose user page has existing JS/CSS subpages.Wed, May 20, 10:21 PM
matmarex mentioned this in T202262: Display global rename log in "Previous global account changes".Thu, May 21, 9:51 PM
matmarex mentioned this in T402732: Special:CentralAuth should indicate when the user has been renamed.
Johannnes89 subscribed.Thu, Jun 11, 7:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits