Page MenuHomePhabricator

Allow global groups to be assigned temporarily (expire)
Open, MediumPublic


T12493: Setting a temporary usergroup (allow expiry of user rights via Special:UserRights form) is about allowing local user groups to be assigned temporarily. This was a top-10 wish in the 2016 Community Wishlist Survey.

A logical extension of that wish would be to allow global groups to expire as well. From a quick glance, it looks like the CentralAuth code and tables would need similar modifications to core code and tables.

It's worth noting that the community discussion at the Survey didn't mention global groups. However, it seems that this could be useful for global IP block exemptions among other things.

There are only 8 temporary group memberships in force at the moment (6 GIPBE, 1 global delete, 1 global editinterface), so this doesn't look like a high-priority task.

Event Timeline

TTO triaged this task as Low priority.Jan 31 2017, 3:48 AM
TTO updated the task description. (Show Details)

Expiring global groups would be tremendously useful as well. For example, all IPBE's we grant, or nearly all of them, are temporary but don't list them afterwards at SRAT but in our internal wiki for privacy reasons. Other global groups such as editinterface are temporary by default. It'd really help us to have this function avalaible for global rights as well. Thanks!

Just to get an idea, are all of the 252 current global IP-block exemptions temporary? If not, how many are temporary?

Excluding a handful of them, we usually grant that until the global block that caused their issues expires, or for one year and so on. Some users are given GIPBE permanently, but there ain't that much of them. Thanks.

Now that local user group expiration is a reality and seems to be working just fine, can we get an estimate on how much effort or complication this would be? Maybe also adding subtasks of pending things to do would be a good idea? Regards.

I was hoping to work on it this month, but various IRL things happened so that I wasn't able to. I do plan to get to it eventually, but note that this task is not assigned to me, so anyone else may of course claim it if they wish.

I think it is best worked on as a single unit of work; the main meat of it will be a patch to CentralAuth, and I don't think there will be too much beyond that (fingers crossed).

@TTO I think we'll wait for you since you have done most of the temporary userrights feature and know what exactly needs to be done.

Due to recent issues with governments blocking accesses to Wikimedia sites, the number of temporary IP block exemptions have been growing, and so keeping track of all of them is getting harder. We also grant other kind of temporary global rights which would benefit from this, as explained above. Can I suggest, if possible, to have a look at this request again please? Thank you!

Hi there. Any updates? Feature still required for most global ipblock exemptions and (soon) all global interface administrator permissions. Thanks!

Change 475930 had a related patch set uploaded (by Melos; owner: Melos):
[mediawiki/extensions/CentralAuth@master] Allow global groups to be assigned temporarily

Thanks @Melos !!!

AFAICS your change does some DB changes so I'm adding the Schema-change so our DBA can take a look as well.

Notes to consider that just came to my mind: when we implemented expiring local rights there was a problem with said permissions when expiring not being moved to user_former_groups and being in the database indefinitely until someone did "touched" the wiki. This was: T177404: Expired user groups not added to user_former_groups table, T176754: Regularly purge expired temporary userrights from DB tables and T163691: Expired user groups are still shown in Special:Preferences/Special:UserRights after expiring, due to User cache among others. Taking a look at can also be helpful.


Marostegui added a subscriber: Marostegui.

The schema change looks good to me. The table is pretty small (around 1500 rows) and 8M in disk, so it can probably be altered on the master once the schema change is ready.
Please, remember to submit a schema change when the change is merged, using the schema change template:

Removing the DBA tag but I will remain subscribed here in case I am needed :)

@Marostegui So, do we get 475930 merged first and then file a new task? I'd love to get this new feature live but I'm a bit lost on how to proceed. Thanks.

daniel raised the priority of this task from Low to Medium.Feb 5 2020, 7:20 PM
CCicalese_WMF added a subscriber: CCicalese_WMF.

Is this task ready for code review by the Core Platform Team? The only patch I see is 475930, and it is marked as WIP. I'm untagging us for now, but please retag when there is a patch ready for code review.

@CCicalese_WMF I have asked @Melos to confirm whether the patch is still WIP or can proceed to code review. I'll let you know once I have a reply.

Change 475930 had a related patch set uploaded (by Melos; owner: Melos):
[mediawiki/extensions/CentralAuth@master] Allow global groups to be assigned temporarily