Warning: The code or configuration described here poses a major security risk.
Site administrators: You are advised against using it until this security issue is resolved.
Problem: This extension is believed to pose serious security and/or privacy risks! Users with access to this extension can change a user's email address and password, which basically gives them the ability to take over another user's account. Additionally, users can indefinitely disable a user account which is not reversible via an extension or other special page. Therefore, do NOT grant a user access to this extension unless you 100% trust them not to abuse it. It is recommended to only grant access to bureaucrat or higher access levels. We are not responsible for any security and/or privacy leaks.
Solution: If unsure, do not install this extension.
Release status: stable
|Description||Allows editing account details, or disabling an account|
|Author(s)||Łukasz Garczewski, Jack Phoenix|
|Latest version||1.3.3 (2017-01-27)|
|License||GNU General Public License 2.0 or later|
|Translate the EditAccount extension if it is available at translatewiki.net|
|Check usage and version matrix.|
The EditAccount extension has two main purposes. One is to change the password, real name, or email address of another user. The second is to disable the account of another user.
The special page may be limited to a certain user group such as staff or bureaucrats.
After disabling an account, the user is immediately logged out. This prevents them visiting their preferences and setting a new password or email address - which might be possible if you had simply scrambled their password.
When an account is disabled, the user will no longer be able to log in. Their password will be scrambled. Their email address will be removed. Their real name will be set to "Account Disabled". Their E-mail authentication status will be set to "not authenticated". The Registration date and other preferences info will not be affected.
A note appears on the user's contributions list of a disabled account stating "This account has been disabled." (View example).
All account edits are logged.
- Download and place the file(s) in a directory called
- Add the following code at the bottom of your LocalSettings.php:
wfLoadExtension( 'EditAccount' );
- Configure user group and user right at your convenience.
- Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
To users running MediaWiki 1.28 or earlier:
The instructions above describe the new way of installing this extension using
wfLoadExtension(). If you need to install this extension on these earlier versions (MediaWiki 1.28 and earlier), instead of
wfLoadExtension( 'EditAccount' );, you need to use:
By default, all user groups will only have permission to close their own accounts. The user right "editaccount" will have to be set for an existing user group, e.g. "bureaucrat" or for a new user group to allow editing or closing all accounts:
$wgGroupPermissions['bureaucrat']['editaccount'] = true; $wgGroupPermissions['editaccount']['editaccount'] = true;
Use of the special pages "CloseAccount" and "EditAccount" is logged at Special:Log/editaccnt. This log can be set to private if needed.
- Example log entries
* 04:41, March 18, 2011 WikiAdmin (Talk | contribs | block) disabled account User:Example user * 02:11, February 17, 2011 StaffMember (Talk | contribs | block) changed password for user User:Jimbo Wales