Page MenuHomePhabricator

Enable 2FA for wikidata-staff on wikidatawiki
Closed, ResolvedPublic


A WMDE staff member contacted me to request that OATH be enabled for the wikidata-staff group on wikidatawiki. This is a highly privileged group.

Event Timeline

it's one of many dangerous groups I listed in the comments of

MarcoAurelio added a subscriber: MarcoAurelio.
This comment was removed by MarcoAurelio.

it's one of many dangerous groups I listed in the comments of

It's just symptomatic of a generally bigger problem. We let communities decide on their own extra groups, with varying rights etc. So they can do what we want. And then we don't remember about the various idiosyncrasies of various communities.

I propose, we add something to InitialiseSettings that we keep track of these groups that are generally considered "privileged", and as such, should be treated the same for OATHAuth, password requirements and alike -- as although we might've been enabling OATHAuth right for these groups. they've not been included in the bumps in PasswordPolicies. Otherwise we're varying on some right that all groups aren't likely to have in common, which is going to be prone to even more errors.

I want to avoid adding more lines like (and the abusefilter line that was already there). For Wiki Specific groups, we should be adding these to groupOverrides/groupOverrides2, where we're already defining said rights. And similar can be said for sysop etc where it's in CommonSettings

I know I'm guilty of some of the above, but we might aswell fix it up now before it becomes a huge config mess. Granted, eventually these overrides will just be removed, and it'll be enabled for everyone

'wmgPrivelegedGroups' => [
	'default' => [ 'sysop', 'bureaucrat' ],
	'+wikidatawiki' => [ 'wikidata-staff' ],

We can then reuse this variable where necessary for setting these things for elevated password for these groups, and even enabling OATHAuth or similar protection in one place, rather than loads of hard coding

Change 322094 had a related patch set uploaded (by Reedy):
Make and re-use list of all elevated WMF groups

Change 322094 merged by jenkins-bot:
Make and re-use list of all elevated WMF groups