See https://gitlab.wikimedia.org/toolforge-repos/phab-ban/-/blob/main/app.py?ref_type=heads#L207, it only check whether the user is in acl*userdisable. I proposed that Phabricator admins should also has access. Why? see the next section.
And my second proposal (not technical-related, and this is why this task is tagged Phabricator for discussion): Phabricator admins should not disable accounts in Phabricator directly - instead, Phabricator admins should also use this tool to disable account. Currently there are several ways to disable the account:
- For Phabricator admins only: they has permission to directly disable an account in Phabricator (but I propose they not to use it, see below).
- For user in acl*userdisable: disable an account using that tool
- (future, see T338384) For stewards (and staff): globally lock an account the linked account will (currently not) be disabled in Phab
- For Wikitech admin: disable a LDAP account and the linked account will be disabled in Phab
Method | Provides public log? | Provides reason? |
---|---|---|
1 | Yes but in a very obscure place, and no global log is available for non-admin | No (see T102576) |
2 | Yes | No (see T359211) |
3 | Yes | Yes |
4 | Yes, but unclear in future (once we does not use Wikitech to manage LDAP) | Yes, but unclear in future |
As we can see the option 1 is the least transparent, so a simple solution is not to use it manually at all (though it is still used by PhabBanBot).
Currently there are accounts disabled directly, but you can only see which admin disabled it in an obscure place like this.