User Migration Extension

This MediaWiki extension allows users to change their account's password by performing an edit on another wiki.

Download: UserMigration-1.0.zip, 06 Nov 2010.

Requirements

• PHP 5 >= 5.1.2, fopen wrappers enabled
• Source wiki must allow public access to revision data trough the MediaWiki API.
• Accounts being migrated must already exist in the user table, and must be members of a particular group.
  This can be accomplished using for instance MediaWikiDumper.

Installation

1. Extract the zip file into the extensions/ directory of your MediaWiki installation.
   Verify that the extensions/UserMigration/UserMigration.php file is created.
2. Add these lines to your LocalSettings.php file:

   require_once("$IP/extensions/UserMigration/UserMigration.php");

   This enables the UserMigration extension.

   $wgMigrationSource = 'http://www.example.com/path/to/api.php';

   This should be the URL of the api.php file on the wiki you are migrating from; for example, http://www.wikipedia.org/w/api.php or http://community.wikia.com/api.php

   $wgMigrationGroup = 'user group name';

   Name of the user group containing only accounts that have not been reclaimed yet. Users will be removed from this group after reclaiming their accounts.
   By default, accounts imported using MediaWikiDumper are in the "wikian" group.

   $wgMigrationSecret = 'a 64-character hex string';

   This 64-character hexadecimal string is used to generate the tokens used for authentication, preventing the tokens from revealing the new passwords. You should use a random string specific to your installation.
   If JavaScript is enabled, the string above is randomly generated by your browser.

UI Configuration

There are a number of messages that can be customized by editing pages in the MediaWiki namespace:

MediaWiki:reclaim-not-reserved

Displayed when the username being reclaimed does not exists in the wiki's users table.

MediaWiki:reclaim-invalid-password

Displayed when the user picks an invalid new password (i.e. one that does not meet the wiki's complexity requirements).

MediaWiki:reclaim-account-in-use

Displayed when the username being reclaimed is not a member of the not-reclaimed user group.

MediaWiki:reclaim-done

Displayed when a username ($1) is successfully reclaimed.

MediaWiki:reclaim-missing-token

Displayed when the desired token ($1) is not found in the user's ($2) last edit summary ($3) on their user page on the old wiki.

MediaWiki:reclaim-title, MediaWiki:reclaim-help, MediaWiki:reclaim-begin

Common page elements.

How this works

The "token" generated by the extension is a substring of an HMAC generated for the particular (username, password) pair using the installation-specific secret. The user is then instructed to edit their user page and include this token in their edit summary.

The extension then checks the user's latest edit to their userpage -- if the latest edit summary contains the token, it changes the user's password, and removes the user from the migrating users group, preventing reclamation from being used again for that account.

This automates the process of transferring accounts, does not require the user to reveal their old password to the new wiki, and prevents third parties from being able to guess the new password based on the edit summaries.