| Index: trunk/extensions/OpenID/README |
| — | — | @@ -1,353 +0,0 @@ |
| 2 | | -MediaWiki OpenID extension |
| 3 | | - |
| 4 | | -version 0.9.0 |
| 5 | | -20 June 2009 |
| 6 | | - |
| 7 | | -This is the README file for the OpenID extension for MediaWiki software. The |
| 8 | | -extension is only useful if you've got a MediaWiki installation; it can only be |
| 9 | | -installed by the administrator of the site. |
| 10 | | - |
| 11 | | -The extension lets users log in with an OpenID (http://www.openid.net/) instead |
| 12 | | -of a username and password. An OpenID is a special URL that people can use to |
| 13 | | -log in to a Web site. The extension also lets users who have an account on the |
| 14 | | -wiki log in to other OpenID-aware Web sites with their wiki user page as their |
| 15 | | -OpenID. |
| 16 | | - |
| 17 | | -Typical uses: |
| 18 | | - |
| 19 | | -* Single-signon between multiple affiliated wikis and other sites. We have |
| 20 | | - almost 20 wikis that work together for Wikitravel, and users can login to |
| 21 | | - different Wikitravel wikis with their home wiki account. |
| 22 | | -* Single-signon across the Internet. Many, many sites now support OpenID, |
| 23 | | - including "big names" like Yahoo!, Google, and AOL. Allowing users to login |
| 24 | | - with OpenID means one less step for them to contribute to your wiki. |
| 25 | | -* Distributed reputation. Logging into a new wiki with the same username as you |
| 26 | | - have on another wiki doesn't prove that they're the same person. Logging in |
| 27 | | - with your OpenID from the old wiki does. Using OpenID can help build a |
| 28 | | - distributed reputation across the wiki world. |
| 29 | | - |
| 30 | | -The software supports OpenID 2.0 and '''requires''' the openidenabled.com 2.x |
| 31 | | -libraries. Users of previous versions should see [[#Upgrade]] for more |
| 32 | | -information. |
| 33 | | - |
| 34 | | -This extension has been in use for years on several large wikis without known |
| 35 | | -security problems. However, no software is completely bug-free or secure, and |
| 36 | | -there's no guarantee that this software will work as advertised. See [[#Bugs]] |
| 37 | | -section below for info on how to report problems. |
| 38 | | - |
| 39 | | -== License == |
| 40 | | - |
| 41 | | -Copyright 2006,2007 Internet Brands (http://www.internetbrands.com/) |
| 42 | | -Copyright 2008 Evan Prodromou (http://vinismo.com/en/User:Evan) |
| 43 | | - |
| 44 | | -This program is free software; you can redistribute it and/or modify |
| 45 | | -it under the terms of the GNU General Public License as published by |
| 46 | | -the Free Software Foundation; either version 2 of the License, or |
| 47 | | -(at your option) any later version. |
| 48 | | - |
| 49 | | -This program is distributed in the hope that it will be useful, |
| 50 | | -but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 51 | | -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 52 | | -GNU General Public License for more details. |
| 53 | | - |
| 54 | | -You should have received a copy of the GNU General Public License |
| 55 | | -along with this program; if not, write to the Free Software |
| 56 | | -Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| 57 | | - |
| 58 | | -== Author == |
| 59 | | - |
| 60 | | -Evan Prodromou <evan@vinismo.com> |
| 61 | | - |
| 62 | | -Patches for YADIS support and FileStore storage by Jonathan Daugherty |
| 63 | | -<cygnus@janrain.com>. |
| 64 | | - |
| 65 | | -== Pre-requisites == |
| 66 | | - |
| 67 | | -This software has been tested in production with MediaWiki 1.11.x. It may or |
| 68 | | -may not work with earlier or later versions, but I'm interested in making later |
| 69 | | -versions work, and I'd be happy to make minor changes to make older, unsupported |
| 70 | | -versions work too. |
| 71 | | - |
| 72 | | -The software depends on the OpenIDEnabled.com PHP library for OpenID, which in |
| 73 | | -turn depends on the OpenIDEnabled.com PHP library for YADIS. At the time of this |
| 74 | | -writing, info on installing these libraries was available here: |
| 75 | | - |
| 76 | | - http://www.openidenabled.com/php-openid/ |
| 77 | | - |
| 78 | | -The last version tested with is 2.0.1; '''versions below 2.0 will not work'''. |
| 79 | | -If you must use version 1.x of the openidenabled.com library, you can use the |
| 80 | | -unsupported version 0.7.0 or below of this extension. |
| 81 | | - |
| 82 | | -There are also some required PHP extensions; see the OpenIDEnabled documentation |
| 83 | | -for details. This software has been tested with the gmp and curl PHP extensions |
| 84 | | -installed, and it's recommended that you install them, too. |
| 85 | | - |
| 86 | | -Note that some versions of MediaWiki overwrite the PHP library path in |
| 87 | | -LocalSettings.php. You may need to add the path to your PHP library directory |
| 88 | | -to the $path variable, like "/usr/share/php" or "/usr/local/share/php". |
| 89 | | - |
| 90 | | -== Installation == |
| 91 | | - |
| 92 | | -First, make sure that you have everytging listed at |
| 93 | | - |
| 94 | | - http://www.mediawiki.org/wiki/Extension:OpenID/README#Pre-requisites |
| 95 | | - |
| 96 | | -To install, copy all the files in the archive you downloaded to the OpenID |
| 97 | | -subdirectory of the extensions subdirectory of your MediaWiki installation. Note |
| 98 | | -that the software depends on having its code all in the "OpenID" sub-directory; |
| 99 | | -naming it "OpenID-Test" or "newextension1" or whatever won't work. |
| 100 | | - |
| 101 | | -Run update.php script in in your MediaWiki maintenance folder to create |
| 102 | | -necessary tables in MediaWiki database. |
| 103 | | - |
| 104 | | -Version 0.3 and below of this extension used a different database structure |
| 105 | | -that was pretty inefficient. If you installed this extension before, you should |
| 106 | | -copy the optionToTable.php script to your MediaWiki "maintenance" directory and |
| 107 | | -run it from the command line. This will copy the OpenID mappings from the user |
| 108 | | -table to the new table (but it doesn't erase the old data... just in case). |
| 109 | | - |
| 110 | | -In your MediaWiki LocalSettings.php, add the following line some place towards |
| 111 | | -the bottom of the file: |
| 112 | | - |
| 113 | | - require_once( "$IP/extensions/OpenID/OpenID.setup.php" ); |
| 114 | | - |
| 115 | | -Theoretically it should work out of the box, but you'll almost definitely want |
| 116 | | -to set the trust root and access controls (see Configuration below). |
| 117 | | - |
| 118 | | -== Upgrade == |
| 119 | | - |
| 120 | | -'''This is an incompatible upgrade to the previous version of the MediaWiki |
| 121 | | -OpenID library.''' In particular, the interfaces of the openidenabled.com |
| 122 | | -libraries have changed from 1.x to 2.x, and no effort has been made to retain |
| 123 | | -backwards compatibility with the 1.x versions of the library. |
| 124 | | - |
| 125 | | -To upgrade, you'll need to do at least the following: |
| 126 | | - |
| 127 | | -* Install the 2.x version of the openidenabled.com PHP OpenID library. |
| 128 | | -* Check that your consumer and server stores are correct. I got tired of |
| 129 | | - maintaining the MemcStore that nobody seemed to want, so if you used that, you |
| 130 | | - need to use the filestore now. See below for how to configure it. |
| 131 | | -* Change your require_once line in LocalSettings.php to use the .setup.php file. |
| 132 | | -* 'openidlogininstructions' is now wikitext, not HTML. If you've customized it, |
| 133 | | - you may need to re-customize it. Also, it's now shown '''below''' the login |
| 134 | | - box, so if you say ''the box below'', you may want to change that to ''the box |
| 135 | | - above''. |
| 136 | | -* The extension has been converted to use a clumsy and perverse OOP-like |
| 137 | | - structure, with one class per special page. Most function names have been |
| 138 | | - changed to methods of these classes. If you used them, look around for their |
| 139 | | - replacements. |
| 140 | | -* The extension has been converted to use the autoloading features of MediaWiki, |
| 141 | | - which means that you need to require() the files directly if you really want |
| 142 | | - to use their code. Or you might get lucky and have autoloading work for you. |
| 143 | | - |
| 144 | | -If you find other incompatibilities that I haven't mentioned here, please let |
| 145 | | -me know. |
| 146 | | - |
| 147 | | -== Logging in using OpenID == |
| 148 | | - |
| 149 | | -To log in to the wiki using an OpenID, go to the Special:OpenIDLogin |
| 150 | | -page on the wiki. Add the OpenID identity URL to the login box, and |
| 151 | | -click "Verify". |
| 152 | | - |
| 153 | | -This ''should'' take you to the OpenID server for your identity, where |
| 154 | | -you can either log in (if you're not already) or approve allowing the |
| 155 | | -wiki to use your OpenID for logging in. If the OpenID server supports |
| 156 | | -the Simple Registration Extension ('sreg'), it may also ask you |
| 157 | | -whether to share personal information like your preferred nickname, |
| 158 | | -real name, email address, etc. Choose as you wish. |
| 159 | | - |
| 160 | | -Once you're logged in to your OpenID server, and you've finished |
| 161 | | -approving the login, you should return to the wiki from whence you |
| 162 | | -came automatically. |
| 163 | | - |
| 164 | | -Every user who logs in with an OpenID identity for the first time will |
| 165 | | -be assigned a "fake" username in the local wiki. (This just makes |
| 166 | | -things work better.) |
| 167 | | - |
| 168 | | -If you've allowed your nickname to be passed to the wiki, and it's not |
| 169 | | -already taken, and it's a legal MediaWiki user name, then it should |
| 170 | | -use that for your login automatically. |
| 171 | | - |
| 172 | | -If not, the extension will try to make up some good candidate |
| 173 | | -usernames for you and present you with a choice. If you don't like any |
| 174 | | -of them, you can make up your own. |
| 175 | | - |
| 176 | | -After you're logged in, you can edit, read, write, and do all the |
| 177 | | -other things that MediaWiki users do. Since you've got a "real" |
| 178 | | -account, you'll also have a home page and a message page and such. It |
| 179 | | -should also be possible to assign extra permissions ('sysop', |
| 180 | | -'bureaucrat') to the account. You can log out as normal. |
| 181 | | - |
| 182 | | -To log back in, use the OpenIDLogin page again. Don't try to login |
| 183 | | -using the regular login page, since it won't work. |
| 184 | | - |
| 185 | | -You can log in with an Interwiki abbreviation of an URL right now, but |
| 186 | | -that's experimental and may disappear in later versions. Don't fall in |
| 187 | | -love with this convenient, useful feature. You may get hurt. |
| 188 | | - |
| 189 | | -== Using a MediaWiki account as an OpenID == |
| 190 | | - |
| 191 | | -To log in to other sites with your MediaWiki account, your OpenID |
| 192 | | -identity URL is the full URL of your MediaWiki user page. So, for |
| 193 | | -example, the author's identity URL is: |
| 194 | | - |
| 195 | | - http://wikitravel.org/en/User:Evan |
| 196 | | - |
| 197 | | -When you use this OpenID with another site, logging in should take you |
| 198 | | -to the wiki site. You may need to enter your password if you're not |
| 199 | | -already logged in. |
| 200 | | - |
| 201 | | -You'll then be asked if you want to let the other site log you in, and |
| 202 | | -if you want the MediaWiki wiki to share your personal information |
| 203 | | -(nickname, email, full name, language) with the other site. Choose |
| 204 | | -what feels comfortable to you. For some sites, you may not be asked; |
| 205 | | -see Configuration below. |
| 206 | | - |
| 207 | | -Once you've finished deciding, the other site will finish the login. |
| 208 | | - |
| 209 | | -You can't log in through OpenID on the same server. You can't use the |
| 210 | | -user page for a fake account created for an OpenID login as an OpenID |
| 211 | | -itself. |
| 212 | | - |
| 213 | | -== Configuration == |
| 214 | | - |
| 215 | | -The administrator can configure these variables in the |
| 216 | | -LocalSettings.php file. Please read carefully. |
| 217 | | - |
| 218 | | -* $wgTrustRoot -- This is an URL that identifies your site to OpenID |
| 219 | | - servers. Typically, it's the "root" url of the site, like |
| 220 | | - "http://en.wikipedia.org/" or "http://wikitravel.org/it/". If this is |
| 221 | | - not set, the software will make a half-hearted guess, but it's not |
| 222 | | - very good and you should probably just set it. |
| 223 | | - |
| 224 | | -* $wgOpenIDConsumerDenyByDefault -- The administrator can decide which |
| 225 | | - OpenIDs are allowed to login to their server. If this flag is |
| 226 | | - true, only those OpenIDs that match one of the $wgOpenIDConsumerAllow |
| 227 | | - and not one of the $wgOpenIDConsumerDeny patterns will be allowed to |
| 228 | | - log in. If it is false, all OpenIDs are allowed to log in, unless |
| 229 | | - they are matched by an $wgOpenIDConsumerDeny pattern and not an |
| 230 | | - $wgOpenIDConsumerAllow. Typically you'll set this to true for |
| 231 | | - testing and then false for general use. |
| 232 | | - |
| 233 | | -* $wgOpenIDConsumerAllow -- an array of regular expressions that match |
| 234 | | - OpenIDs you want to allow to log in. For example, |
| 235 | | - "@^(http://)?wikitravel.org/@" will allow OpenIDs from the Wikitravel |
| 236 | | - domain. |
| 237 | | - |
| 238 | | -* $wgOpenIDConsumerDeny -- an array of regular expressions that match |
| 239 | | - OpenIDs you want to deny access to. This is mostly useful for |
| 240 | | - servers that are known to be bad. Example: "#^(http://)?example.com/#". |
| 241 | | - |
| 242 | | -* $wgOpenIDConsumerForce -- a single provider which will always be used, |
| 243 | | - bypassing the selection dialog and manual entry. Useful for team wikis |
| 244 | | - using a provider such as Google Apps for Your Domain. |
| 245 | | - |
| 246 | | -* $wgOpenIDUseEmailAsNickname -- designed for use with the above, parse |
| 247 | | - the e-mail address provided by your provider and use the user component |
| 248 | | - as the MediaWiki username. |
| 249 | | - |
| 250 | | -* $wgOpenIDTrustEmailAddress -- trust the e-mail address sent by the |
| 251 | | - provider and don't require it to be verified. If false (the default), |
| 252 | | - all new users will be required to validate their e-mail address. |
| 253 | | - |
| 254 | | -* $wgOpenIDServerForceAllowTrust -- an array of regular expressions |
| 255 | | - that match trust roots that you want to skip trust checks for when |
| 256 | | - the user logs in from those sites. A typical example would be a |
| 257 | | - closely federated cluster of sites (like Wikimedia, Wikia, or |
| 258 | | - Wikitravel) where the personal data is available to the trusting |
| 259 | | - server ''anyways''. Be very careful using this across organizational |
| 260 | | - boundaries. |
| 261 | | - |
| 262 | | -* $wgOpenIDConsumerStoreType and $wgOpenIDServerStoreType -- strings |
| 263 | | - denoting the type of storage to be used to store OpenID assocation |
| 264 | | - data when acting as an OpenID relying party (consumer) and server, |
| 265 | | - respectively. Valid values are "file", "memcached" and "db". |
| 266 | | - |
| 267 | | -* $wgOpenIDConsumerStorePath and $wgOpenIDServerStorePath -- strings |
| 268 | | - specifying the paths where OpenID assocation data should be stored |
| 269 | | - when acting as a relying party (consumer) or server, respectively. |
| 270 | | - Each of these need only be set if the store type settings (above) |
| 271 | | - are set to "file", respectively. These strings, if both are set, |
| 272 | | - MUST NOT be equal. If the store type is "file", the default here is |
| 273 | | - "/tmp/$wgDBname/openidconsumer/" and "/tmp/$wgDBname/openidserver/" |
| 274 | | - respectively. The path will be automatically created if it doesn't |
| 275 | | - exist at runtime. |
| 276 | | - |
| 277 | | -* $wgHideOpenIDLoginLink -- boolean that says whether or not to hide |
| 278 | | - the OpenID login link in the personal URLs. Typically you'd use this |
| 279 | | - if you've already got some other method for showing the OpenID login |
| 280 | | - link, like in your skin. Note that it will *not* prevent login if |
| 281 | | - the user navigates to Special:OpenIDLogin directly; it's simply |
| 282 | | - cosmetic. This is mostly a backwards-compatibility option. |
| 283 | | - |
| 284 | | -* $wgOpenIDLoginLogoUrl -- Url of the OpenID login logo. Defaults to |
| 285 | | - 'http://www.openid.net/login-bg.gif', but you may want to move it to |
| 286 | | - a local URL, or an URL on a CDN, if that kind of thing floats your |
| 287 | | - boat. |
| 288 | | - |
| 289 | | -* $wgOpenIDShowUrlOnUserPage -- whether to show the OpenID identity URL |
| 290 | | - on a user's home page. Possible values are 'always', 'never', or 'user' |
| 291 | | - (lets the user decide). Default is 'user'. |
| 292 | | - |
| 293 | | -* $wgOpenIDOnly -- defaults to false. With this enabled, users can |
| 294 | | - ''only'' log in with OpenID. This is principally of interest to |
| 295 | | - OpenID advocacy sites like openid.net, but you may want it, too. |
| 296 | | - |
| 297 | | -* $wgOpenIDClientOnly -- defaults to false. With this enabled, users |
| 298 | | - cannot use their accounts on the local wiki as OpenIDs on another |
| 299 | | - site. Sucks for users, but some admins have emailed me about not |
| 300 | | - wanting the responsibility of being an OpenID server, so this flag |
| 301 | | - is for them. |
| 302 | | - |
| 303 | | -* $wgOpenIDShowProviderIcons -- defaults to false due to potential |
| 304 | | - brand issues. With this enabled, users will see button graphics |
| 305 | | - instead of just links in OpenID provider UI. |
| 306 | | - |
| 307 | | -== Skins == |
| 308 | | - |
| 309 | | -If you are customizing a skin, and you want to show the OpenID |
| 310 | | -identity for a user (say, on their user page), use the function |
| 311 | | -OpenIDGetUserUrl($user). It takes a User object (not a name or an id!) |
| 312 | | -and returns the user's OpenID identity if it exists, or null if it |
| 313 | | -doesn't. |
| 314 | | - |
| 315 | | -== Translation == |
| 316 | | - |
| 317 | | -The user interface strings for this extension are configurable through |
| 318 | | -the same Special:Allmessages page as MediaWiki itself. They all start |
| 319 | | -with "openid", and they're no more or less cryptic than MediaWiki's. |
| 320 | | -You can look at OpenID.i18n.php for some details. |
| 321 | | - |
| 322 | | -== OpenID services == |
| 323 | | - |
| 324 | | -These are some of the OpenID services I tested this extension with; |
| 325 | | -all have free signup for identities if you want to test, too. |
| 326 | | - |
| 327 | | -* http://www.myopenid.com/ -- uses Simple Registration Extension |
| 328 | | -* http://getopenid.com/ |
| 329 | | -* http://www.typekey.com/ |
| 330 | | -* http://www.claimid.com/ |
| 331 | | -* http://pip.verisignlabs.com/ |
| 332 | | -* http://certifi.ca/ |
| 333 | | - |
| 334 | | -== Bugs == |
| 335 | | - |
| 336 | | -Please submit bugs into [https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions&component=OpenID Bugzilla under OpenID extenson component]. |
| 337 | | - |
| 338 | | -== TODO == |
| 339 | | -* Move TODO file and things below into Bugzilla |
| 340 | | - |
| 341 | | -The TODO file in this distribution has stuff I think needs to be |
| 342 | | -todone; + marks show things I've already done, and - shows things |
| 343 | | -that are yet to be done. |
| 344 | | - |
| 345 | | -The big changes for the future: |
| 346 | | - |
| 347 | | -* Configure some stuff through Special:Preferences or a dedicated |
| 348 | | - control panel |
| 349 | | -* Auto-login if you've logged in before with an OpenID, and are logged |
| 350 | | - into that account now |
| 351 | | - |
| 352 | | -== CHANGES == |
| 353 | | -* [http://svn.wikimedia.org/viewvc/mediawiki/tags/extensions/OpenID/REL_0_8_4/ 0.8.4] (April 16, 2009) - Added provider buttons to the OpenID login page with optional icons ($wgOpenIDShowProviderIcons) |
| 354 | | -* [http://svn.wikimedia.org/viewvc/mediawiki/tags/extensions/OpenID/REL_0_8_4_1/ 0.8.4.1] (April 16, 2009) - Post-release fix to broken icon on user's page. |
| Index: trunk/extensions/OpenID/OpenID.i18n.php |
| — | — | @@ -52,7 +52,7 @@ |
| 53 | 53 | 'openidsuccess' => 'Verification succeeded', |
| 54 | 54 | 'openidsuccesstext' => 'Verification of the OpenID URL succeeded.', |
| 55 | 55 | 'openidusernameprefix' => 'OpenIDUser', |
| 56 | | - 'openidserverlogininstructions' => 'Enter your password below to log in to $3 as user $2 (user page $1).', |
| | 56 | + 'openidserverlogininstructions' => '$3 requests that you enter your password for your user $2 page $1 (OpenID URL)', |
| 57 | 57 | 'openidtrustinstructions' => 'Check if you want to share data with $1.', |
| 58 | 58 | 'openidallowtrust' => 'Allow $1 to trust this user account.', |
| 59 | 59 | 'openidnopolicy' => 'Site has not specified a privacy policy.', |
| — | — | @@ -64,7 +64,7 @@ |
| 65 | 65 | 'openidemail' => 'E-mail address', |
| 66 | 66 | 'openidlanguage' => 'Language', |
| 67 | 67 | 'openidtimezone' => 'Time zone', |
| 68 | | - 'openidchooselegend' => 'Username choice', |
| | 68 | + 'openidchooselegend' => 'Username and account choice', |
| 69 | 69 | 'openidchooseinstructions' => 'All users need a nickname; |
| 70 | 70 | you can choose one from the options below.', |
| 71 | 71 | 'openidchoosenick' => 'Your nickname ($1)', |
| — | — | @@ -93,11 +93,10 @@ |
| 94 | 94 | 'openidlogininstructions' => '{{SITENAME}} supports the [http://openid.net/ OpenID] standard for single sign-on between websites. |
| 95 | 95 | OpenID lets you log in to many different websites without using a different password for each. |
| 96 | 96 | (See [http://en.wikipedia.org/wiki/OpenID Wikipedia\'s OpenID article] for more information.) |
| 97 | | - |
| 98 | | -If you already have an account on {{SITENAME}}, you can [[Special:UserLogin|log in]] with your username and password as usual. |
| 99 | | -To use OpenID in the future, you can [[Special:OpenIDConvert|convert your account to OpenID]] after you have logged in normally. |
| 100 | | - |
| 101 | 97 | There are many [http://openid.net/get/ OpenID providers], and you may already have an OpenID-enabled account on another service.', |
| | 98 | + 'openidlogininstructions-openidloginonly' => "{{SITENAME}} ''only'' allows you to log in with OpenID.", |
| | 99 | + 'openidlogininstructions-passwordloginallowed' => 'If you already have an account on {{SITENAME}}, you can [[Special:UserLogin|log in]] with your username and password as usual. |
| | 100 | +To use OpenID in the future, you can [[Special:OpenIDConvert|convert your account to OpenID]] after you have logged in normally.', |
| 102 | 101 | 'openidupdateuserinfo' => 'Update my personal information:', |
| 103 | 102 | |
| 104 | 103 | 'openiddelete' => 'Delete OpenID', |
| Index: trunk/extensions/OpenID/README.OpenID-mediawiki-extension |
| — | — | @@ -0,0 +1,368 @@ |
| | 2 | +MediaWiki OpenID extension |
| | 3 | + |
| | 4 | +version 0.9.1 |
| | 5 | +15 May 2011 |
| | 6 | + |
| | 7 | +This is the README file for the OpenID extension for MediaWiki software. The |
| | 8 | +extension is only useful if you've got a MediaWiki installation; it can only be |
| | 9 | +installed by the administrator of the site. |
| | 10 | + |
| | 11 | +The extension lets users log in with an OpenID (http://www.openid.net/) instead |
| | 12 | +of a username and password. An OpenID is a special URL that people can use to |
| | 13 | +log in to a Web site. The extension also lets users who have an account on the |
| | 14 | +wiki log in to other OpenID-aware Web sites with their wiki user page as their |
| | 15 | +OpenID. |
| | 16 | + |
| | 17 | +Typical uses: |
| | 18 | + |
| | 19 | +* Single-signon between multiple affiliated wikis and other sites. |
| | 20 | +* Single-signon across the Internet. Many, many sites now support OpenID, |
| | 21 | + including "big names" like Yahoo!, Google, and AOL. Allowing users to login |
| | 22 | + with OpenID means one less step for them to contribute to your wiki. |
| | 23 | +* Distributed reputation. Logging into a new wiki with the same username as you |
| | 24 | + have on another wiki doesn't prove that they're the same person. Logging in |
| | 25 | + with your OpenID from the old wiki does. Using OpenID can help build a |
| | 26 | + distributed reputation across the wiki world. |
| | 27 | + |
| | 28 | +The software supports OpenID 2.0 and '''requires''' the openidenabled.com 2.2.2 |
| | 29 | +libraries. Users of previous versions should see [[#Upgrade]] for more |
| | 30 | +information. |
| | 31 | + |
| | 32 | +This extension has been in use for years on several large wikis without known |
| | 33 | +security problems. However, no software is completely bug-free or secure, and |
| | 34 | +there's no guarantee that this software will work as advertised. See [[#Bugs]] |
| | 35 | +section below for info on how to report problems. |
| | 36 | + |
| | 37 | +== License == |
| | 38 | + |
| | 39 | +Copyright 2006,2007 Internet Brands (http://www.internetbrands.com/) |
| | 40 | +Copyright 2008 Evan Prodromou (http://vinismo.com/en/User:Evan) |
| | 41 | +Copyright 2011 Thomas Gries |
| | 42 | + |
| | 43 | +This program is free software; you can redistribute it and/or modify |
| | 44 | +it under the terms of the GNU General Public License as published by |
| | 45 | +the Free Software Foundation; either version 2 of the License, or |
| | 46 | +(at your option) any later version. |
| | 47 | + |
| | 48 | +This program is distributed in the hope that it will be useful, |
| | 49 | +but WITHOUT ANY WARRANTY; without even the implied warranty of |
| | 50 | +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| | 51 | +GNU General Public License for more details. |
| | 52 | + |
| | 53 | +You should have received a copy of the GNU General Public License |
| | 54 | +along with this program; if not, write to the Free Software |
| | 55 | +Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| | 56 | + |
| | 57 | +== Author == |
| | 58 | + |
| | 59 | +Evan Prodromou <evan@vinismo.com> |
| | 60 | +Patches for YADIS support and FileStore storage by Jonathan Daugherty |
| | 61 | +<cygnus@janrain.com>. |
| | 62 | + |
| | 63 | +== Pre-requisites == |
| | 64 | + |
| | 65 | +This software has been tested with MediaWiki 1.19 rev. 88135 |
| | 66 | + |
| | 67 | +The software depends on the OpenIDEnabled.com PHP library for OpenID, which in |
| | 68 | +turn depends on the OpenIDEnabled.com PHP library for YADIS. At the time of this |
| | 69 | +writing, info on installing these libraries was available here: |
| | 70 | + |
| | 71 | + http://www.openidenabled.com/php-openid/ |
| | 72 | + |
| | 73 | +It requires patches when running with PHP 5.3.x and later. |
| | 74 | + |
| | 75 | +The version tested with is 2.2.2; '''versions below 2.0 will not work'''. |
| | 76 | + |
| | 77 | +There are also some required PHP extensions; see the OpenIDEnabled documentation |
| | 78 | +for details. This software has been tested with the gmp and curl PHP extensions |
| | 79 | +installed, and it's recommended that you install them, too. |
| | 80 | + |
| | 81 | +Note that some versions of MediaWiki overwrite the PHP library path in |
| | 82 | +LocalSettings.php. You may need to add the path to your PHP library directory |
| | 83 | +to the $path variable, like "/usr/share/php" or "/usr/local/share/php". |
| | 84 | + |
| | 85 | +== Installation == |
| | 86 | + |
| | 87 | +To install, copy all the files in the archive you downloaded to the OpenID |
| | 88 | +subdirectory of the extensions subdirectory of your MediaWiki installation. Note |
| | 89 | +that the software depends on having its code all in the "OpenID" sub-directory; |
| | 90 | +naming it "OpenID-Test" or "newextension1" or whatever won't work. |
| | 91 | + |
| | 92 | +Run update.php script in in your MediaWiki maintenance folder to create |
| | 93 | +necessary tables in MediaWiki database. |
| | 94 | + |
| | 95 | +Version 0.3 and below of this extension used a different database structure |
| | 96 | +that was pretty inefficient. If you installed this extension before, you should |
| | 97 | +copy the optionToTable.php script to your MediaWiki "maintenance" directory and |
| | 98 | +run it from the command line. This will copy the OpenID mappings from the user |
| | 99 | +table to the new table (but it doesn't erase the old data... just in case). |
| | 100 | + |
| | 101 | +In your MediaWiki LocalSettings.php, add the following line some place towards |
| | 102 | +the bottom of the file: |
| | 103 | + |
| | 104 | + require_once( "$IP/extensions/OpenID/OpenID.setup.php" ); |
| | 105 | + |
| | 106 | +Theoretically it should work out of the box, but you'll almost definitely want |
| | 107 | +to set the trust root and access controls (see Configuration below). |
| | 108 | + |
| | 109 | +== Upgrade == |
| | 110 | + |
| | 111 | +'''This is an incompatible upgrade to the previous version of the MediaWiki |
| | 112 | +OpenID library.''' In particular, the interfaces of the openidenabled.com |
| | 113 | +libraries have changed from 1.x to 2.x, and no effort has been made to retain |
| | 114 | +backwards compatibility with the 1.x versions of the library. |
| | 115 | + |
| | 116 | +To upgrade, you'll need to do at least the following: |
| | 117 | + |
| | 118 | +* Install the 2.x version of the openidenabled.com PHP OpenID library. |
| | 119 | +* Check that your consumer and server stores are correct. I got tired of |
| | 120 | + maintaining the MemcStore that nobody seemed to want, so if you used that, you |
| | 121 | + need to use the filestore now. See below for how to configure it. |
| | 122 | +* Change your require_once line in LocalSettings.php to use the .setup.php file. |
| | 123 | +* 'openidlogininstructions' is now wikitext, not HTML. If you've customized it, |
| | 124 | + you may need to re-customize it. Also, it's now shown '''below''' the login |
| | 125 | + box, so if you say ''the box below'', you may want to change that to ''the box |
| | 126 | + above''. |
| | 127 | +* The extension has been converted to use a clumsy and perverse OOP-like |
| | 128 | + structure, with one class per special page. Most function names have been |
| | 129 | + changed to methods of these classes. If you used them, look around for their |
| | 130 | + replacements. |
| | 131 | +* The extension has been converted to use the autoloading features of MediaWiki, |
| | 132 | + which means that you need to require() the files directly if you really want |
| | 133 | + to use their code. Or you might get lucky and have autoloading work for you. |
| | 134 | + |
| | 135 | +If you find other incompatibilities that I haven't mentioned here, please let |
| | 136 | +me know. |
| | 137 | + |
| | 138 | +== Logging in using OpenID == |
| | 139 | + |
| | 140 | +To log in to the wiki using an OpenID, go to the Special:OpenIDLogin |
| | 141 | +page on the wiki. Add the OpenID identity URL to the login box, and |
| | 142 | +click "Verify". |
| | 143 | + |
| | 144 | +This ''should'' take you to the OpenID server for your identity, where |
| | 145 | +you can either log in (if you're not already) or approve allowing the |
| | 146 | +wiki to use your OpenID for logging in. If the OpenID server supports |
| | 147 | +the Simple Registration Extension ('sreg'), it may also ask you |
| | 148 | +whether to share personal information like your preferred nickname, |
| | 149 | +real name, email address, etc. Choose as you wish. |
| | 150 | + |
| | 151 | +Once you're logged in to your OpenID server, and you've finished |
| | 152 | +approving the login, you should return to the wiki from whence you |
| | 153 | +came automatically. |
| | 154 | + |
| | 155 | +Every user who logs in with an OpenID identity for the first time will |
| | 156 | +be assigned a "fake" username in the local wiki. (This just makes |
| | 157 | +things work better.) |
| | 158 | + |
| | 159 | +If you've allowed your nickname to be passed to the wiki, and it's not |
| | 160 | +already taken, and it's a legal MediaWiki user name, then it should |
| | 161 | +use that for your login automatically. |
| | 162 | + |
| | 163 | +If not, the extension will try to make up some good candidate |
| | 164 | +usernames for you and present you with a choice. If you don't like any |
| | 165 | +of them, you can make up your own. |
| | 166 | + |
| | 167 | +After you're logged in, you can edit, read, write, and do all the |
| | 168 | +other things that MediaWiki users do. Since you've got a "real" |
| | 169 | +account, you'll also have a home page and a message page and such. It |
| | 170 | +should also be possible to assign extra permissions ('sysop', |
| | 171 | +'bureaucrat') to the account. You can log out as normal. |
| | 172 | + |
| | 173 | +To log back in, use the OpenIDLogin page again. Don't try to login |
| | 174 | +using the regular login page, since it won't work. |
| | 175 | + |
| | 176 | +You can log in with an Interwiki abbreviation of an URL right now, but |
| | 177 | +that's experimental and may disappear in later versions. Don't fall in |
| | 178 | +love with this convenient, useful feature. You may get hurt. |
| | 179 | + |
| | 180 | +== Using a MediaWiki account as an OpenID == |
| | 181 | + |
| | 182 | +To log in to other sites with your MediaWiki account, your OpenID |
| | 183 | +identity URL is the full URL of your MediaWiki user page. So, for |
| | 184 | +example, the author's identity URL is: |
| | 185 | + |
| | 186 | + http://wikitravel.org/en/User:Evan |
| | 187 | + |
| | 188 | +When you use this OpenID with another site, logging in should take you |
| | 189 | +to the wiki site. You may need to enter your password if you're not |
| | 190 | +already logged in. |
| | 191 | + |
| | 192 | +You'll then be asked if you want to let the other site log you in, and |
| | 193 | +if you want the MediaWiki wiki to share your personal information |
| | 194 | +(nickname, email, full name, language) with the other site. Choose |
| | 195 | +what feels comfortable to you. For some sites, you may not be asked; |
| | 196 | +see Configuration below. |
| | 197 | + |
| | 198 | +Once you've finished deciding, the other site will finish the login. |
| | 199 | + |
| | 200 | +You can't log in through OpenID on the same server. You can't use the |
| | 201 | +user page for a fake account created for an OpenID login as an OpenID |
| | 202 | +itself. |
| | 203 | + |
| | 204 | +== Configuration == |
| | 205 | + |
| | 206 | +The administrator can configure these variables in the |
| | 207 | +LocalSettings.php file. Please read carefully. |
| | 208 | + |
| | 209 | +* $wgTrustRoot -- This is an URL that identifies your site to OpenID |
| | 210 | + servers. Typically, it's the "root" url of the site, like |
| | 211 | + "http://en.wikipedia.org/" or "http://wikitravel.org/it/". If this is |
| | 212 | + not set, the software will make a half-hearted guess, but it's not |
| | 213 | + very good and you should probably just set it. |
| | 214 | + |
| | 215 | +* $wgOpenIDConsumerDenyByDefault -- The administrator can decide which |
| | 216 | + OpenIDs are allowed to login to their server. If this flag is |
| | 217 | + true, only those OpenIDs that match one of the $wgOpenIDConsumerAllow |
| | 218 | + and not one of the $wgOpenIDConsumerDeny patterns will be allowed to |
| | 219 | + log in. If it is false, all OpenIDs are allowed to log in, unless |
| | 220 | + they are matched by an $wgOpenIDConsumerDeny pattern and not an |
| | 221 | + $wgOpenIDConsumerAllow. Typically you'll set this to true for |
| | 222 | + testing and then false for general use. |
| | 223 | + |
| | 224 | +* $wgOpenIDConsumerAllow -- an array of regular expressions that match |
| | 225 | + OpenIDs you want to allow to log in. For example, |
| | 226 | + "@^(http://)?wikitravel.org/@" will allow OpenIDs from the Wikitravel |
| | 227 | + domain. |
| | 228 | + |
| | 229 | +* $wgOpenIDConsumerDeny -- an array of regular expressions that match |
| | 230 | + OpenIDs you want to deny access to. This is mostly useful for |
| | 231 | + servers that are known to be bad. Example: "#^(http://)?example.com/#". |
| | 232 | + |
| | 233 | +* $wgOpenIDConsumerForce -- a single provider which will always be used, |
| | 234 | + bypassing the selection dialog and manual entry. Useful for team wikis |
| | 235 | + using a provider such as Google Apps for Your Domain. |
| | 236 | + |
| | 237 | +* $wgOpenIDUseEmailAsNickname -- designed for use with the above, parse |
| | 238 | + the e-mail address provided by your provider and use the user component |
| | 239 | + as the MediaWiki username. |
| | 240 | + |
| | 241 | +* $wgOpenIDProposeUsernameFromSREG |
| | 242 | + defaults to true; when first-time logging in with OpenID, propose and |
| | 243 | + allow new account names from OpenID SREG data such as fullname or nickname |
| | 244 | + |
| | 245 | +* $wgOpenIDAllowManualUsername |
| | 246 | + defaults to true; when first-time logging in with OpenID, show option |
| | 247 | + to enter and to allow a manually chosen username |
| | 248 | + |
| | 249 | +* $wgOpenIDAllowAutomaticUsername |
| | 250 | + defaults to true; when first-time logging in with OpenID, show option |
| | 251 | + to choose and to allow an automatically generated username |
| | 252 | + |
| | 253 | +* $wgOpenIDTrustEmailAddress -- trust the e-mail address sent by the |
| | 254 | + provider and don't require it to be verified. If false (the default), |
| | 255 | + all new users will be required to validate their e-mail address. |
| | 256 | + |
| | 257 | +* $wgOpenIDServerForceAllowTrust -- an array of regular expressions |
| | 258 | + that match trust roots that you want to skip trust checks for when |
| | 259 | + the user logs in from those sites. A typical example would be a |
| | 260 | + closely federated cluster of sites (like Wikimedia, Wikia, or |
| | 261 | + Wikitravel) where the personal data is available to the trusting |
| | 262 | + server ''anyways''. Be very careful using this across organizational |
| | 263 | + boundaries. |
| | 264 | + |
| | 265 | +* $wgOpenIDConsumerStoreType and $wgOpenIDServerStoreType -- strings |
| | 266 | + denoting the type of storage to be used to store OpenID assocation |
| | 267 | + data when acting as an OpenID relying party (consumer) and server, |
| | 268 | + respectively. Valid values are "file", "memcached" and "db". |
| | 269 | + |
| | 270 | +* $wgOpenIDConsumerStorePath and $wgOpenIDServerStorePath -- strings |
| | 271 | + specifying the paths where OpenID assocation data should be stored |
| | 272 | + when acting as a relying party (consumer) or server, respectively. |
| | 273 | + Each of these need only be set if the store type settings (above) |
| | 274 | + are set to "file", respectively. These strings, if both are set, |
| | 275 | + MUST NOT be equal. If the store type is "file", the default here is |
| | 276 | + "/tmp/$wgDBname/openidconsumer/" and "/tmp/$wgDBname/openidserver/" |
| | 277 | + respectively. The path will be automatically created if it doesn't |
| | 278 | + exist at runtime. |
| | 279 | + |
| | 280 | +* $wgHideOpenIDLoginLink -- boolean that says whether or not to hide |
| | 281 | + the OpenID login link in the personal URLs. Typically you'd use this |
| | 282 | + if you've already got some other method for showing the OpenID login |
| | 283 | + link, like in your skin. Note that it will *not* prevent login if |
| | 284 | + the user navigates to Special:OpenIDLogin directly; it's simply |
| | 285 | + cosmetic. This is mostly a backwards-compatibility option. |
| | 286 | + |
| | 287 | +* $wgOpenIDLoginLogoUrl -- Url of the OpenID login logo. Defaults to |
| | 288 | + 'http://www.openid.net/login-bg.gif', but you may want to move it to |
| | 289 | + a local URL, or an URL on a CDN, if that kind of thing floats your |
| | 290 | + boat. |
| | 291 | + |
| | 292 | +* $wgOpenIDShowUrlOnUserPage -- whether to show the OpenID identity URL |
| | 293 | + on a user's home page. Possible values are 'always', 'never', or 'user' |
| | 294 | + (lets the user decide). Default is 'user'. |
| | 295 | + |
| | 296 | +* $wgOpenIDOnly -- defaults to false. With this enabled, users can |
| | 297 | + ''only'' log in with OpenID. |
| | 298 | + |
| | 299 | +* $wgOpenIDClientOnly -- defaults to false. With this enabled, users |
| | 300 | + cannot use their accounts on the local wiki as OpenIDs on another |
| | 301 | + site. Sucks for users, but some admins have emailed me about not |
| | 302 | + wanting the responsibility of being an OpenID server, so this flag |
| | 303 | + is for them. |
| | 304 | + |
| | 305 | +* $wgOpenIDAllowServingOpenIDUserAccounts -- defaults to false. |
| | 306 | + Having this enabled, it allows User page URLs from this wiki |
| | 307 | + as OpenID identities on other arbitrary OpenID-aware sites - |
| | 308 | + even when using OpenID to login on this wiki. |
| | 309 | + Some users might want to do that for vanity purposes or whatever. |
| | 310 | + False prevents the serving of User page URLs as OpenID accounts |
| | 311 | + on other sites (this was an TODO list item). |
| | 312 | + |
| | 313 | +* $wgOpenIDShowProviderIcons -- defaults to false due to potential |
| | 314 | + brand issues. With this enabled, users will see button graphics |
| | 315 | + instead of just links in OpenID provider UI. |
| | 316 | + |
| | 317 | +== Skins == |
| | 318 | + |
| | 319 | +If you are customizing a skin, and you want to show the OpenID |
| | 320 | +identity for a user (say, on their user page), use the function |
| | 321 | +OpenIDGetUserUrl($user). It takes a User object (not a name or an id!) |
| | 322 | +and returns the user's OpenID identity if it exists, or null if it |
| | 323 | +doesn't. |
| | 324 | + |
| | 325 | +== Translation == |
| | 326 | + |
| | 327 | +The user interface strings for this extension are configurable through |
| | 328 | +the same Special:Allmessages page as MediaWiki itself. They all start |
| | 329 | +with "openid", and they're no more or less cryptic than MediaWiki's. |
| | 330 | +You can look at OpenID.i18n.php for some details. |
| | 331 | + |
| | 332 | +== OpenID services == |
| | 333 | + |
| | 334 | +These are some of the OpenID services I tested this extension with; |
| | 335 | +all have free signup for identities if you want to test, too. |
| | 336 | + |
| | 337 | +* http://www.myopenid.com/ -- uses Simple Registration Extension |
| | 338 | +* http://getopenid.com/ |
| | 339 | +* http://www.typekey.com/ |
| | 340 | +* http://www.claimid.com/ |
| | 341 | +* http://pip.verisignlabs.com/ |
| | 342 | +* http://certifi.ca/ |
| | 343 | + |
| | 344 | +== Bugs == |
| | 345 | + |
| | 346 | +Please submit bugs into [https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions&component=OpenID Bugzilla under OpenID extenson component]. |
| | 347 | + |
| | 348 | +== TODO == |
| | 349 | +* Move TODO file and things below into Bugzilla |
| | 350 | + |
| | 351 | +The TODO file in this distribution has stuff I think needs to be |
| | 352 | +todone; + marks show things I've already done, and - shows things |
| | 353 | +that are yet to be done. |
| | 354 | + |
| | 355 | +The big changes for the future: |
| | 356 | + |
| | 357 | +* Configure some stuff through Special:Preferences or a dedicated |
| | 358 | + control panel |
| | 359 | +* Auto-login if you've logged in before with an OpenID, and are logged |
| | 360 | + into that account now |
| | 361 | + |
| | 362 | +== CHANGES == |
| | 363 | +* [http://svn.wikimedia.org/viewvc/mediawiki/tags/extensions/OpenID/REL_0_8_4/ 0.8.4] (April 16, 2009) - Added provider buttons to the OpenID login page with optional icons ($wgOpenIDShowProviderIcons) |
| | 364 | +* [http://svn.wikimedia.org/viewvc/mediawiki/tags/extensions/OpenID/REL_0_8_4_1/ 0.8.4.1] (April 16, 2009) - Post-release fix to broken icon on user's page. |
| | 365 | +* 0.9.1 fixes for PHP > 5.3.x; fixed bugs |
| | 366 | + bug 27419 OpenID extension: disallow new account creation for those users without "createaccount" permission |
| | 367 | + bug 27581 3 new OpenID login page parameters: $wgOpenIDAllowManualUsername, AllowAutomaticUsername, ProposeUsernameFromSREG |
| | 368 | + bug 18635 Allow to use User pages as OpenIDs even if user is using OpenID already |
| | 369 | + |
| \ No newline at end of file |
| Index: trunk/extensions/OpenID/OpenID.hooks.php |
| — | — | @@ -42,7 +42,7 @@ |
| 43 | 43 | |
| 44 | 44 | # Hook is called whenever an article is being viewed |
| 45 | 45 | public static function onArticleViewHeader( &$article, &$outputDone, &$pcache ) { |
| 46 | | - global $wgOut, $wgOpenIDClientOnly; |
| | 46 | + global $wgOut, $wgOpenIDClientOnly, $wgOpenIDAllowServingOpenIDUserAccounts; |
| 47 | 47 | |
| 48 | 48 | $nt = $article->getTitle(); |
| 49 | 49 | |
| — | — | @@ -71,19 +71,20 @@ |
| 72 | 72 | "<a href='$url'>$disp</a>" . |
| 73 | 73 | "</span>" ); |
| 74 | 74 | } |
| 75 | | - } else { |
| 76 | | - # Add OpenID data if its allowed |
| 77 | | - if ( !$wgOpenIDClientOnly ) { |
| 78 | | - $st = SpecialPage::getTitleFor( 'OpenIDServer' ); |
| 79 | | - $wgOut->addLink( array( 'rel' => 'openid.server', |
| 80 | | - 'href' => $st->getFullURL() ) ); |
| 81 | | - $wgOut->addLink( array( 'rel' => 'openid2.provider', |
| 82 | | - 'href' => $st->getFullURL() ) ); |
| 83 | | - $rt = SpecialPage::getTitleFor( 'OpenIDXRDS', $user->getName() ); |
| 84 | | - $wgOut->addMeta( 'http:X-XRDS-Location', $rt->getFullURL() ); |
| 85 | | - header( 'X-XRDS-Location: ' . $rt->getFullURL() ); |
| 86 | | - } |
| 87 | 75 | } |
| | 76 | + |
| | 77 | + # Add OpenID data if its allowed |
| | 78 | + if ( !$wgOpenIDClientOnly && !( count( $openid ) && (strlen( $openid[0] ) != 0 ) && !$wgOpenIDAllowServingOpenIDUserAccounts ) ) { |
| | 79 | + $st = SpecialPage::getTitleFor( 'OpenIDServer' ); |
| | 80 | + $wgOut->addLink( array( 'rel' => 'openid.server', |
| | 81 | + 'href' => $st->getFullURL() ) ); |
| | 82 | + $wgOut->addLink( array( 'rel' => 'openid2.provider', |
| | 83 | + 'href' => $st->getFullURL() ) ); |
| | 84 | + $rt = SpecialPage::getTitleFor( 'OpenIDXRDS', $user->getName() ); |
| | 85 | + $wgOut->addMeta( 'http:X-XRDS-Location', $rt->getFullURL() ); |
| | 86 | + header( 'X-XRDS-Location: ' . $rt->getFullURL() ); |
| | 87 | + } |
| | 88 | + |
| 88 | 89 | } |
| 89 | 90 | } |
| 90 | 91 | |
| Index: trunk/extensions/OpenID/SpecialOpenIDServer.body.php |
| — | — | @@ -188,7 +188,7 @@ |
| 189 | 189 | |
| 190 | 190 | function Check( $server, $request, $sreg, $imm = true ) { |
| 191 | 191 | |
| 192 | | - global $wgUser, $wgOut; |
| | 192 | + global $wgUser, $wgOut, $wgOpenIDAllowServingOpenIDUserAccounts; |
| 193 | 193 | |
| 194 | 194 | assert( isset( $wgUser ) && isset( $wgOut ) ); |
| 195 | 195 | assert( isset( $server ) ); |
| — | — | @@ -241,7 +241,7 @@ |
| 242 | 242 | |
| 243 | 243 | # Is the user an OpenID user? |
| 244 | 244 | |
| 245 | | - if ( $this->getUserUrl( $user ) ) { |
| | 245 | + if ( !$wgOpenIDAllowServingOpenIDUserAccounts && $this->getUserUrl( $user ) ) { |
| 246 | 246 | wfDebug( "OpenID: Not one of our users; logs in with OpenID.\n" ); |
| 247 | 247 | return $request->answer( false, $this->serverUrl() ); |
| 248 | 248 | } |
| — | — | @@ -731,9 +731,12 @@ |
| 732 | 732 | } |
| 733 | 733 | |
| 734 | 734 | # Use regexps to extract user name |
| 735 | | - |
| 736 | 735 | $pattern = str_replace( '$1', '(.*)', $wgArticlePath ); |
| 737 | 736 | $pattern = str_replace( '?', '\?', $pattern ); |
| | 737 | + |
| | 738 | + /* remove "Special:OpenIDXRDS/" to allow construction of a valid user page name */ |
| | 739 | + $relative = preg_replace("!Special:OpenIDXRDS/!", "", $relative); |
| | 740 | + |
| 738 | 741 | # Can't have a pound-sign in the relative, since that's for fragments |
| 739 | 742 | if ( !preg_match( "#$pattern#", $relative, $matches ) ) { |
| 740 | 743 | return null; |
| Index: trunk/extensions/OpenID/SpecialOpenIDLogin.body.php |
| — | — | @@ -56,7 +56,7 @@ |
| 57 | 57 | $this->chooseName(); |
| 58 | 58 | break; |
| 59 | 59 | |
| 60 | | - case 'Finish': # Returning from a server |
| | 60 | + case 'Finish': # Returning from a server |
| 61 | 61 | $this->finish(); |
| 62 | 62 | break; |
| 63 | 63 | |
| — | — | @@ -96,7 +96,7 @@ |
| 97 | 97 | * Displays the main login form |
| 98 | 98 | */ |
| 99 | 99 | function loginForm() { |
| 100 | | - global $wgOut, $wgOpenIDShowProviderIcons; |
| | 100 | + global $wgOut, $wgOpenIDShowProviderIcons, $wgOpenIDOnly; |
| 101 | 101 | |
| 102 | 102 | $wgOut->addModules( $wgOpenIDShowProviderIcons ? 'ext.openid.icons' : 'ext.openid.plain' ); |
| 103 | 103 | |
| — | — | @@ -150,6 +150,11 @@ |
| 151 | 151 | Xml::closeElement( 'fieldset' ) . Xml::closeElement( 'form' ) |
| 152 | 152 | ); |
| 153 | 153 | $wgOut->addWikiMsg( 'openidlogininstructions' ); |
| | 154 | + if ( $wgOpenIDOnly ) { |
| | 155 | + $wgOut->addWikiMsg('openidlogininstructions-openidloginonly'); |
| | 156 | + } else { |
| | 157 | + $wgOut->addWikiMsg('openidlogininstructions-passwordloginallowed'); |
| | 158 | + } |
| 154 | 159 | } |
| 155 | 160 | |
| 156 | 161 | /** |
| — | — | @@ -161,7 +166,8 @@ |
| 162 | 167 | * @param $messagekey String or null: message name to display at the top |
| 163 | 168 | */ |
| 164 | 169 | function chooseNameForm( $openid, $sreg, $ax, $messagekey = null ) { |
| 165 | | - global $wgOut, $wgOpenIDOnly, $wgAllowRealName; |
| | 170 | + global $wgOut, $wgOpenIDOnly, $wgAllowRealName, $wgUser; |
| | 171 | + global $wgOpenIDProposeUsernameFromSREG, $wgOpenIDAllowAutomaticUsername, $wgOpenIDAllowManualUsername; |
| 166 | 172 | |
| 167 | 173 | if ( $messagekey ) { |
| 168 | 174 | $wgOut->addWikiMsg( $messagekey ); |
| — | — | @@ -218,7 +224,7 @@ |
| 219 | 225 | $wgOut->addHTML( |
| 220 | 226 | Xml::openElement( 'tr' ) . |
| 221 | 227 | Xml::tags( 'td', array( 'class' => 'mw-label' ), |
| 222 | | - Xml::radio( 'wpNameChoice', 'existing', false, array( 'id' => 'wpNameChoiceExisting' ) ) |
| | 228 | + Xml::radio( 'wpNameChoice', 'existing', !$def, array( 'id' => 'wpNameChoiceExisting' ) ) |
| 223 | 229 | ) . "\n" . |
| 224 | 230 | Xml::tags( 'td', array( 'class' => 'mw-input' ), |
| 225 | 231 | Xml::label( wfMsg( 'openidchooseexisting' ), 'wpNameChoiceExisting' ) . "<br />\n" . |
| — | — | @@ -230,83 +236,101 @@ |
| 231 | 237 | ) . "\n" . |
| 232 | 238 | Xml::closeElement( 'tr' ) . "\n" |
| 233 | 239 | ); |
| 234 | | - } |
| 235 | | - |
| 236 | | - # These options won't exist if we can't get them. |
| 237 | | - if ( array_key_exists( 'nickname', $sreg ) && $this->userNameOK( $sreg['nickname'] ) ) { |
| 238 | | - $wgOut->addHTML( |
| 239 | | - Xml::openElement( 'tr' ) . |
| 240 | | - Xml::tags( 'td', array( 'class' => 'mw-label' ), |
| 241 | | - Xml::radio( 'wpNameChoice', 'nick', !$def, array( 'id' => 'wpNameChoiceNick' ) ) |
| 242 | | - ) . |
| 243 | | - Xml::tags( 'td', array( 'class' => 'mw-input' ), |
| 244 | | - Xml::label( wfMsg( 'openidchoosenick', $sreg['nickname'] ), 'wpNameChoiceNick' ) |
| 245 | | - ) . |
| 246 | | - Xml::closeElement( 'tr' ) . "\n" |
| 247 | | - ); |
| 248 | 240 | $def = true; |
| 249 | | - } |
| | 241 | + } // !$wgOpenIDOnly |
| 250 | 242 | |
| 251 | | - # These options won't exist if we can't get them. |
| 252 | | - $fullname = null; |
| 253 | | - if ( array_key_exists( 'fullname', $sreg ) ) { |
| 254 | | - $fullname = $sreg['fullname']; |
| 255 | | - } |
| | 243 | + # These are only available if all visitors are allowed to create accounts |
| | 244 | + if ( $wgUser->isAllowed( 'createaccount' ) && !$wgUser->isBlockedFromCreateAccount() ) { |
| | 245 | + |
| | 246 | + if ($wgOpenIDProposeUsernameFromSREG) { |
| | 247 | + |
| | 248 | + # These options won't exist if we can't get them. |
| | 249 | + if ( array_key_exists( 'nickname', $sreg ) && $this->userNameOK( $sreg['nickname'] ) ) { |
| | 250 | + $wgOut->addHTML( |
| | 251 | + Xml::openElement( 'tr' ) . |
| | 252 | + Xml::tags( 'td', array( 'class' => 'mw-label' ), |
| | 253 | + Xml::radio( 'wpNameChoice', 'nick', !$def, array( 'id' => 'wpNameChoiceNick' ) ) |
| | 254 | + ) . |
| | 255 | + Xml::tags( 'td', array( 'class' => 'mw-input' ), |
| | 256 | + Xml::label( wfMsg( 'openidchoosenick', $sreg['nickname'] ), 'wpNameChoiceNick' ) |
| | 257 | + ) . |
| | 258 | + Xml::closeElement( 'tr' ) . "\n" |
| | 259 | + ); |
| | 260 | + } |
| | 261 | + |
| | 262 | + # These options won't exist if we can't get them. |
| | 263 | + $fullname = null; |
| | 264 | + if ( array_key_exists( 'fullname', $sreg ) ) { |
| | 265 | + $fullname = $sreg['fullname']; |
| | 266 | + } |
| 256 | 267 | |
| 257 | | - if ( array_key_exists( 'http://axschema.org/namePerson/first', $ax ) || array_key_exists( 'http://axschema.org/namePerson/last', $ax ) ) { |
| 258 | | - $fullname = $ax['http://axschema.org/namePerson/first'][0] . " " . $ax['http://axschema.org/namePerson/last'][0]; |
| 259 | | - } |
| | 268 | + if ( array_key_exists( 'http://axschema.org/namePerson/first', $ax ) || array_key_exists( 'http://axschema.org/namePerson/last', $ax ) ) { |
| | 269 | + $fullname = $ax['http://axschema.org/namePerson/first'][0] . " " . $ax['http://axschema.org/namePerson/last'][0]; |
| | 270 | + } |
| 260 | 271 | |
| 261 | | - if ( $fullname && $this->userNameOK( $fullname ) ) { |
| | 272 | + if ( $fullname && $this->userNameOK( $fullname ) ) { |
| | 273 | + $wgOut->addHTML( |
| | 274 | + Xml::openElement( 'tr' ) . |
| | 275 | + Xml::tags( 'td', array( 'class' => 'mw-label' ), |
| | 276 | + Xml::radio( 'wpNameChoice', 'full', !$def, array( 'id' => 'wpNameChoiceFull' ) ) |
| | 277 | + ) . |
| | 278 | + Xml::tags( 'td', array( 'class' => 'mw-input' ), |
| | 279 | + Xml::label( wfMsg( 'openidchoosefull', $fullname ), 'wpNameChoiceFull' ) |
| | 280 | + ) . |
| | 281 | + Xml::closeElement( 'tr' ) . "\n" |
| | 282 | + ); |
| | 283 | + $def = true; |
| | 284 | + } |
| | 285 | + |
| | 286 | + $idname = $this->toUserName( $openid ); |
| | 287 | + if ( $idname && $this->userNameOK( $idname ) ) { |
| | 288 | + $wgOut->addHTML( |
| | 289 | + Xml::openElement( 'tr' ) . |
| | 290 | + Xml::tags( 'td', array( 'class' => 'mw-label' ), |
| | 291 | + Xml::radio( 'wpNameChoice', 'url', !$def, array( 'id' => 'wpNameChoiceUrl' ) ) |
| | 292 | + ) . |
| | 293 | + Xml::tags( 'td', array( 'class' => 'mw-input' ), |
| | 294 | + Xml::label( wfMsg( 'openidchooseurl', $idname ), 'wpNameChoiceUrl' ) |
| | 295 | + ) . |
| | 296 | + Xml::closeElement( 'tr' ) . "\n" |
| | 297 | + ); |
| | 298 | + $def = true; |
| | 299 | + } |
| | 300 | + } // if $wgOpenIDProposeUsernameFromSREG |
| | 301 | + |
| | 302 | + if ($wgOpenIDAllowAutomaticUsername) { |
| 262 | 303 | $wgOut->addHTML( |
| 263 | 304 | Xml::openElement( 'tr' ) . |
| 264 | 305 | Xml::tags( 'td', array( 'class' => 'mw-label' ), |
| 265 | | - Xml::radio( 'wpNameChoice', 'full', !$def, array( 'id' => 'wpNameChoiceFull' ) ) |
| | 306 | + Xml::radio( 'wpNameChoice', 'auto', !$def, array( 'id' => 'wpNameChoiceAuto' ) ) |
| 266 | 307 | ) . |
| 267 | 308 | Xml::tags( 'td', array( 'class' => 'mw-input' ), |
| 268 | | - Xml::label( wfMsg( 'openidchoosefull', $fullname ), 'wpNameChoiceFull' ) |
| | 309 | + Xml::label( wfMsg( 'openidchooseauto', $this->automaticName( $sreg ) ), 'wpNameChoiceAuto' ) |
| 269 | 310 | ) . |
| 270 | | - Xml::closeElement( 'tr' ) . "\n" |
| 271 | | - ); |
| 272 | | - $def = true; |
| | 311 | + Xml::closeElement( 'tr' ) . "\n" |
| | 312 | + ); |
| 273 | 313 | } |
| 274 | 314 | |
| 275 | | - $idname = $this->toUserName( $openid ); |
| 276 | | - if ( $idname && $this->userNameOK( $idname ) ) { |
| | 315 | + if ($wgOpenIDAllowManualUsername) { |
| 277 | 316 | $wgOut->addHTML( |
| 278 | | - Xml::openElement( 'tr' ) . |
| 279 | | - Xml::tags( 'td', array( 'class' => 'mw-label' ), |
| 280 | | - Xml::radio( 'wpNameChoice', 'url', !$def, array( 'id' => 'wpNameChoiceUrl' ) ) |
| 281 | | - ) . |
| 282 | | - Xml::tags( 'td', array( 'class' => 'mw-input' ), |
| 283 | | - Xml::label( wfMsg( 'openidchooseurl', $idname ), 'wpNameChoiceUrl' ) |
| 284 | | - ) . |
| 285 | | - Xml::closeElement( 'tr' ) . "\n" |
| 286 | | - ); |
| 287 | | - $def = true; |
| 288 | | - } |
| 289 | 317 | |
| 290 | | - # These are always available |
| 291 | | - $wgOut->addHTML( |
| 292 | 318 | Xml::openElement( 'tr' ) . |
| 293 | 319 | Xml::tags( 'td', array( 'class' => 'mw-label' ), |
| 294 | | - Xml::radio( 'wpNameChoice', 'auto', !$def, array( 'id' => 'wpNameChoiceAuto' ) ) |
| 295 | | - ) . |
| 296 | | - Xml::tags( 'td', array( 'class' => 'mw-input' ), |
| 297 | | - Xml::label( wfMsg( 'openidchooseauto', $this->automaticName( $sreg ) ), 'wpNameChoiceAuto' ) |
| 298 | | - ) . |
| 299 | | - Xml::closeElement( 'tr' ) . "\n" . |
| 300 | | - |
| 301 | | - Xml::openElement( 'tr' ) . |
| 302 | | - Xml::tags( 'td', array( 'class' => 'mw-label' ), |
| 303 | 320 | Xml::radio( 'wpNameChoice', 'manual', !$def, array( 'id' => 'wpNameChoiceManual' ) ) |
| 304 | 321 | ) . |
| 305 | 322 | Xml::tags( 'td', array( 'class' => 'mw-input' ), |
| 306 | 323 | Xml::label( wfMsg( 'openidchoosemanual' ), 'wpNameChoiceManual' ) . ' ' . |
| 307 | 324 | Xml::input( 'wpNameValue', 16, false, array( 'id' => 'wpNameValue' ) ) |
| 308 | 325 | ) . |
| 309 | | - Xml::closeElement( 'tr' ) . "\n" . |
| | 326 | + Xml::closeElement( 'tr' ) . "\n" |
| | 327 | + ); |
| | 328 | + } |
| 310 | 329 | |
| | 330 | + } // These are only available if all visitors are allowed to create accounts |
| | 331 | + |
| | 332 | + # These are always available |
| | 333 | + $wgOut->addHTML( |
| | 334 | + |
| 311 | 335 | Xml::openElement( 'tr' ) . "\n" . |
| 312 | 336 | Xml::element( 'td', array(), '' ) . "\n" . |
| 313 | 337 | Xml::tags( 'td', array( 'class' => 'mw-submit' ), |
| — | — | @@ -365,8 +389,6 @@ |
| 366 | 390 | |
| 367 | 391 | $this->updateUser( $user, $sreg, $ax ); |
| 368 | 392 | |
| 369 | | - $wgUser = $user; |
| 370 | | - |
| 371 | 393 | } else { |
| 372 | 394 | $name = $this->getUserName( $openid, $sreg, $ax, $choice, $nameValue ); |
| 373 | 395 | |
| — | — | @@ -386,6 +408,8 @@ |
| 387 | 409 | return; |
| 388 | 410 | } |
| 389 | 411 | |
| | 412 | + $wgUser = $user; |
| | 413 | + |
| 390 | 414 | $this->clearValues(); |
| 391 | 415 | |
| 392 | 416 | $this->displaySuccessLogin( $openid ); |
| — | — | @@ -453,7 +477,7 @@ |
| 454 | 478 | if ($wgOpenIDUseEmailAsNickname) { |
| 455 | 479 | $name = $this->getNameFromEmail( $openid, $sreg, $ax ); |
| 456 | 480 | if ( !empty($name) && $this->userNameOk( $name ) ) { |
| 457 | | - $user = $this->createUser( $openid, $sreg, $ax, $name ); |
| | 481 | + $wgUser = $this->createUser( $openid, $sreg, $ax, $name ); |
| 458 | 482 | $this->displaySuccessLogin( $openid ); |
| 459 | 483 | return; |
| 460 | 484 | } |
| — | — | @@ -583,6 +607,15 @@ |
| 584 | 608 | |
| 585 | 609 | $user = User::newFromName( $name ); |
| 586 | 610 | |
| | 611 | + # Check permissions |
| | 612 | + if ( !$user->isAllowed( 'createaccount' ) ) { |
| | 613 | + wfDebug( "OpenID: User is not allowed to create an account.\n" ); |
| | 614 | + return null; |
| | 615 | + } elseif ( $user->isBlockedFromCreateAccount() ) { |
| | 616 | + wfDebug( "OpenID: User is blocked.\n" ); |
| | 617 | + return null; |
| | 618 | + } |
| | 619 | + |
| 587 | 620 | if ( !$user ) { |
| 588 | 621 | wfDebug( "OpenID: Error adding new user.\n" ); |
| 589 | 622 | return null; |
| — | — | @@ -630,11 +663,14 @@ |
| 631 | 664 | # ---------------------------- |
| 632 | 665 | |
| 633 | 666 | function getUserName( $openid, $sreg, $ax, $choice, $nameValue ) { |
| | 667 | + global $wgOpenIDAllowAutomaticUsername, $wgOpenIDAllowManualUsername, $wgOpenIDProposeUsernameFromSREG; |
| | 668 | + |
| 634 | 669 | switch ( $choice ) { |
| 635 | 670 | case 'nick': |
| 636 | | - return ( ( array_key_exists( 'nickname', $sreg ) ) ? $sreg['nickname'] : null ); |
| | 671 | + if ($wgOpenIDProposeUsernameFromSREG) return ( ( array_key_exists( 'nickname', $sreg ) ) ? $sreg['nickname'] : null ); |
| 637 | 672 | break; |
| 638 | 673 | case 'full': |
| | 674 | + if (!$wgOpenIDProposeUsernameFromSREG) return; |
| 639 | 675 | # check the SREG first; only return a value if non-null |
| 640 | 676 | $fullname = ( ( array_key_exists( 'fullname', $sreg ) ) ? $sreg['fullname'] : null ); |
| 641 | 677 | if (!is_null($fullname)) { |
| — | — | @@ -647,13 +683,13 @@ |
| 648 | 684 | return $fullname; |
| 649 | 685 | break; |
| 650 | 686 | case 'url': |
| 651 | | - return $this->toUserName( $openid ); |
| | 687 | + if ($wgOpenIDProposeUsernameFromSREG) return $this->toUserName( $openid ); |
| 652 | 688 | break; |
| 653 | 689 | case 'auto': |
| 654 | | - return $this->automaticName( $sreg ); |
| | 690 | + if ($wgOpenIDAllowAutomaticUsername) return $this->automaticName( $sreg ); |
| 655 | 691 | break; |
| 656 | 692 | case 'manual': |
| 657 | | - return $nameValue; |
| | 693 | + if ($wgOpenIDAllowManualUsername) return $nameValue; |
| 658 | 694 | default: |
| 659 | 695 | return null; |
| 660 | 696 | } |
| Index: trunk/extensions/OpenID/OpenID.setup.php |
| — | — | @@ -114,6 +114,25 @@ |
| 115 | 115 | $wgOpenIDUseEmailAsNickname = false; |
| 116 | 116 | |
| 117 | 117 | /** |
| | 118 | + * when logging on: |
| | 119 | + * propose and allow new account names from OpenID SREG data such as fullname or nickname |
| | 120 | + * |
| | 121 | + */ |
| | 122 | +$wgOpenIDProposeUsernameFromSREG = true; |
| | 123 | + |
| | 124 | +/** |
| | 125 | + * when logging on: |
| | 126 | + * show option to enter and to allow a manually chosen username |
| | 127 | + */ |
| | 128 | +$wgOpenIDAllowManualUsername = true; |
| | 129 | + |
| | 130 | +/** |
| | 131 | + * when logging on: |
| | 132 | + * show option to choose and to allow an automatically generated username |
| | 133 | + */ |
| | 134 | +$wgOpenIDAllowAutomaticUsername = true; |
| | 135 | + |
| | 136 | +/** |
| 118 | 137 | * Where to store transitory data. |
| 119 | 138 | * Supported types are 'file', 'memcached', 'db'. |
| 120 | 139 | */ |
| — | — | @@ -144,6 +163,20 @@ |
| 145 | 164 | $wgOpenIDClientOnly = false; |
| 146 | 165 | |
| 147 | 166 | /** |
| | 167 | + * Allow to use User pages as OpenIDs even if user is using OpenID already |
| | 168 | + * |
| | 169 | + * If true, users can use their user page URLs of this site A as OpenID |
| | 170 | + * on another site B even if user is using OpenID on A already. |
| | 171 | + * |
| | 172 | + * Some users might want to do that for vanity purposes or whatever. |
| | 173 | + * |
| | 174 | + * https://bugzilla.wikimedia.org/show_bug.cgi?id=18635 |
| | 175 | + * If false, prevent serving OpenID accounts (TODO list item; done) |
| | 176 | + * |
| | 177 | + */ |
| | 178 | +$wgOpenIDAllowServingOpenIDUserAccounts = true; |
| | 179 | + |
| | 180 | +/** |
| 148 | 181 | * If true, will show provider icons instead of the text. |
| 149 | 182 | */ |
| 150 | 183 | $wgOpenIDShowProviderIcons = false; |
| — | — | @@ -162,7 +195,7 @@ |
| 163 | 196 | 'name' => 'OpenID', |
| 164 | 197 | 'version' => MEDIAWIKI_OPENID_VERSION, |
| 165 | 198 | 'path' => __FILE__, |
| 166 | | - 'author' => array( 'Evan Prodromou', 'Sergey Chernyshev', 'Alexandre Emsenhuber' ), |
| | 199 | + 'author' => array( 'Evan Prodromou', 'Sergey Chernyshev', 'Alexandre Emsenhuber', 'Thomas Gries' ), |
| 167 | 200 | 'url' => 'http://www.mediawiki.org/wiki/Extension:OpenID', |
| 168 | 201 | 'descriptiomsg' => 'openid-desc', |
| 169 | 202 | ); |