Expiring userrights: prevent circumventing of local removal restrictions
Closed, ResolvedPublic
Actions

Description

In most projects, bureaucrats can grant sysop and bureaucrat status but not remove it later. However I noticed that with this system that can be bypassed by changing the permanent flag into a temporary (1 second) flag to get it removed. Given the potential for abuse and untransparency, I suggest that this not be allowed. If a user group is not allowed to remove an userright after being granted, they should not be able to modify it afterwards.

Details

	Subject	Repo	Branch	Lines +/-
	Prevent use of expiries to circumvent restrictions on removing user groups	mediawiki/core	master	+63 -16

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	TTO	T12493 Setting a temporary usergroup (allow expiry of user rights via Special:UserRights form)
Resolved	TTO	T156784 Expiring userrights: prevent circumventing of local removal restrictions
Open	None	T161595 Allow users who can remove but not add a right to shorten userrights expiry

Event Timeline

MarcoAurelio created this task.Jan 31 2017, 9:59 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 31 2017, 9:59 AM

Good catch, MA, I hadn't even thought of this!

To me, the ideal way to prevent abuse would be, where a user can only add the group and not remove it, to only allow that user to increase the expiry date. Decreasing the expiry date would require both add and remove rights. To keep things simple, users with remove rights could only remove permissions (as now), not adjust the expiry date. How does that sound?

So:

users with add rights but not remove: allow them to just augment/increase expiry date in case the right was temporarily granted.
- I'd say works for me. However if the right was permanently granted I'd suggest that the expiry form be hidden for them since you can't increase the duration of an indefinitely granted user right.

users with add and remove: I'd say that those should be able to adjust permissions and even convert indef rights in temp. rights. But if the later is deemed too complicated for now, I'm fine with the "remove, re-grant temporary" strategy.

Change 335217 had a related patch set uploaded (by TTO):
Prevent circumventing restrictions on removing user groups with expiries

https://gerrit.wikimedia.org/r/335217

gerritbot added a project: Patch-For-Review.Jan 31 2017, 1:09 PM

• MZMcBride renamed this task from Expiring userrights: prevent circunventing of local removal restrictions to Expiring userrights: prevent circumventing of local removal restrictions.Feb 1 2017, 12:42 AM

• MZMcBride subscribed.

Change 335217 merged by jenkins-bot:
Prevent use of expiries to circumvent restrictions on removing user groups

https://gerrit.wikimedia.org/r/335217

ReleaseTaggerBot added projects: MW-1.29-release (WMF-deploy-2017-02-07_(1.29.0-wmf.11)), MW-1.29-release-notes.Feb 1 2017, 9:00 PM

TTO closed this task as Resolved.Feb 2 2017, 12:01 AM

TTO claimed this task.

Ricordisamoa subscribed.Feb 2 2017, 6:33 PM

• DannyH moved this task from New & TBD Tickets to Archive on the Community-Tech board.Mar 2 2017, 6:34 PM

EddieGP created subtask T161595: Allow users who can remove but not add a right to shorten userrights expiry.Mar 28 2017, 9:28 AM

EddieGP mentioned this in T161595: Allow users who can remove but not add a right to shorten userrights expiry.

EddieGP closed subtask T161595: Allow users who can remove but not add a right to shorten userrights expiry as Declined.Apr 7 2017, 1:19 AM

Anomie merged a task: T164146: Expiring Groupmemberships create a possibility to override rights restrictions.May 1 2017, 3:13 PM