Page MenuHomePhabricator
Create Task
Maniphest T19544

Client-side validation of the username availability (done) and that password meets requirements
Closed, ResolvedPublic
Actions

Description

When a user tries to create an account, if the captcha is successful but the username is already taken or the passwords doesn't match, the user has to take the test again. This is bad, especially since captchas are far from user friendly.

So, why not keep in mind that the user passed the captcha ?

Version: unspecified
Severity: enhancement
See Also:
T58025: AJAX validation of username for password reset

Details

Reference
bz17544

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:30 PM
bzimport added projects: MediaWiki-User-login-and-signup, Accessibility.
bzimport set Reference to bz17544.
bzimport added a subscriber: Unknown Object (MLST).
The_RedBurn created this task.Feb 17 2009, 11:36 PM
Spage added a comment.Apr 19 2013, 9:54 PM

Seems doable, using similar counter and expiration logic to ConfirmEdit/Captcha.php's triggerUserLogin(). There are probably security implications I overlook.

Were we to do client-side validation in Create account (see ACUX-3 in https://meta.wikimedia.org/wiki/Research:Account_creation_UX ), then users would be informed of_some_ form problems before filling out the CAPTCHA, lessening the need for this enhancements.

The_RedBurn added a comment.Sep 12 2013, 2:31 PM

Indeed, client-side validation of the username availability and password seems like a much better way to do it.

bzimport added a comment.Dec 6 2013, 7:28 PM

swalling wrote:

*** Bug 47685 has been marked as a duplicate of this bug. ***

GWicke added a comment.Dec 6 2013, 10:40 PM

In addition to the captcha, the user also has to re-enter the password twice. The only bit of previously-entered information that currently survives is the mail address.

Mattflaschen-WMF added a comment.Dec 7 2013, 3:44 AM

The username also survives.

GWicke added a comment.Dec 7 2013, 8:33 PM

(In reply to comment #5)

The username also survives.

Yeah, although you'll normally change it when you are looking for an unused username.

Mattflaschen-WMF added a comment.Sep 3 2014, 11:55 PM

There is nothing to validate for the email, since more than one account can have the same email.

Aklapper subscribed.Mar 17 2015, 11:58 AM

If I try to register an existing username, I get a warning displayed: Account creation error Username entered already in use. Please choose a different name. So that part seems to be fixed nowadays? Should the task summary be updated?

The password validation (very same password entered twice) seems to still be valid though - need to enter the passwords and capture again.

The password strength aspect seems to be covered by T5348 already.

Aklapper mentioned this in T92612: When creating an account users should only have to solve CAPTCHA once.Mar 17 2015, 11:59 AM
Aklapper merged a task: T92612: When creating an account users should only have to solve CAPTCHA once.
Aklapper added a subscriber: jhsoby.
Mattflaschen-WMF renamed this task from Client-side validation of the username availability and that password meets requirements to Client-side validation of the username availability (done) and that password meets requirements.Mar 25 2015, 5:27 AM
Mattflaschen-WMF set Security to None.
Tgr mentioned this in T58025: AJAX validation of username for password reset.Sep 2 2015, 9:32 PM
Parent5446 mentioned this in T5348: Passwords should be checked for strength before being set.Jan 7 2016, 12:03 AM
Danny_B moved this task from Unsorted to Processes on the Accessibility board.Jan 22 2016, 10:51 PM
Anomie mentioned this in T42648: Can't validate username against blocking extensions AntiSpoof & TitleBlacklist.Jun 16 2016, 7:48 PM
Anomie closed subtask T42648: Can't validate username against blocking extensions AntiSpoof & TitleBlacklist as Resolved.
Mattflaschen-WMF unsubscribed.Jun 16 2016, 8:36 PM
Tgr updated the task description. (Show Details)Nov 18 2016, 1:21 AM
Tgr subscribed.Dec 6 2016, 6:33 AM

Will be done in https://gerrit.wikimedia.org/r/#/c/324969 / https://gerrit.wikimedia.org/r/#/c/324970

matmarex closed subtask T66728: "Username in use by unified login system" warning not appearing until after the signup form is submitted as Resolved.May 29 2017, 5:05 PM
matmarex closed this task as Resolved.May 29 2017, 5:10 PM
matmarex assigned this task to Anomie.

Both of the changes have been merged and this appears to work correctly.

image.png (1×1 px, 160 KB)
image.png (1×1 px, 159 KB)

matmarex removed a subtask: T63416: Give warning on account creation when user name is adjusted silently.May 29 2017, 5:10 PM
matmarex added a parent task: T63416: Give warning on account creation when user name is adjusted silently.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits