Warning: The code or configuration described here poses a major security risk.
Site administrators: You are advised against using it until this security issue is resolved.
Problem: This extension is believed to pose serious security and/or privacy risks! Users with access to this extension can change a user's email address and password, which basically gives them the ability to take over another user's account. Additionally, users can indefinitely disable a user account which is not reversible via an extension or other special page. Therefore, do NOT grant a user access to this extension unless you 100% trust them not to abuse it. It is recommended to only grant access to bureaucrat or higher access levels. We are not responsible for any security and/or privacy leaks.
Solution: If unsure, do not install this extension.
Release status: stable
|Description||Allows editing account details, or disabling an account|
|Author(s)||Łukasz Garczewski, Jack Phoenix|
|Latest version||1.3.4 (2021-06-05)|
|Compatibility policy||For every MediaWiki release that is a Long Term Support release there is a corresponding branch in the extension.|
|License||GNU General Public License 2.0 or later|
|Translate the EditAccount extension if it is available at translatewiki.net|
|Issues||Open tasks · Report a bug|
The EditAccount extension has two main purposes. One is to change the password, real name, or email address of another user. The second is to disable the account of another user.
The special page may be limited to a certain user group such as staff or bureaucrats.
Changing the passwordEdit
Changing the password will automatically log out the user. Since the password is changed, it can prevent access to their account. This can be an alternative to disabling the user's account.
Disabling an accountEdit
Similar to the above, the user will be logged out immediately. Alongside that, the following will take effect:
- The user's password will be scrambled, preventing them from logging in.
- The user's email address will be removed, and the email authentication status will be also set to "not authenticated".
- The user's real name will be set to "Account Disabled".
Note that the registration date and other preferences info will not be affected.
When viewing the contributions of a disabled user account, a note appears stating "This account has been disabled." (View example).
All account edits are automatically logged.
- Download and place the file(s) in a directory called
- Add the following code at the bottom of your
wfLoadExtension( 'EditAccount' );
- Configure user group and user right at your convenience.
- Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
To users running MediaWiki 1.28 or earlier:
The instructions above describe the new way of installing this extension using
If you need to install this extension on these earlier versions (MediaWiki 1.28 and earlier), instead of
wfLoadExtension( 'EditAccount' );, you need to use:
By default, all user groups will only have permission to close their own accounts. The user right "editaccount" will have to be set for an existing user group, e.g. "bureaucrat" or for a new user group to allow editing or closing all accounts:
$wgGroupPermissions['bureaucrat']['editaccount'] = true; $wgGroupPermissions['editaccount']['editaccount'] = true;
Use of the special pages "CloseAccount" and "EditAccount" is logged at Special:Log/editaccnt. This log can be set to private if needed.
- Example log entries
* 04:41, March 18, 2011 WikiAdmin (Talk | contribs | block) disabled account User:Example user * 02:11, February 17, 2011 StaffMember (Talk | contribs | block) changed password for user User:Jimbo Wales