Offshoot of this... https://phabricator.wikimedia.org/p/Fiona1213/ was blocked onwiki back in January https://www.mediawiki.org/w/index.php?title=User:Fiona1213 but had created a phabricator account before that

Then today it started changing tasks that looked suspicious, so I disabled the account...

Thanks. Been looking for a quick way to check existing accounts but https://phabricator.wikimedia.org/conduit/method/user.search/ does not support providing a list of associated "MediaWiki User" accounts, and screenscraping Phab user pages does not sound feasible. :/

(To answer the task's title question: No.)

In T162996#3259068, @greg wrote:

(To answer the task's title question: No.)

Heh.

Of course, we have two levels of this:

• If a user is blocked (on mediawiki wiki at least/globally), they shouldn't then be able to create accounts on phabricator
• If a user already had an account, and then they get globally blocked/blocked on mediawiki wiki, they should then be disabled on phabricator

Plus, then for the latter, if/when they are unblocked, the phab account could potentially be unblocked then....

So we need some sort of synchronisation one way or another... Potentially? On a cronjob..

In T162996#3258884, @Aklapper wrote:

Thanks. Been looking for a quick way to check existing accounts but https://phabricator.wikimedia.org/conduit/method/user.search/ does not support providing a list of associated "MediaWiki User" accounts, and screenscraping Phab user pages does not sound feasible. :/

How's your SQL? ;) I'm not familiar with the phabricator schema, but shouldn't be too hard with access to either the labs instance, or more preferably, productions mysql slave.

I don't mind having a look at the hackathon, and we can probably get opsen to give me access easy enough to poke around further

I wonder if we could use conduit to do it instead.

Maybe have a bot that looks at special:blockedusers (or whatever the special page is), and block the user on phab if the bot sees an account with the same username (possible even allow the bot to use CU tool and verify its the same user using ip as well to prevent some false-positives)

As for the original question: Shouldn't we be blocking the creation of the account during the OAuth process? compared to do hacky other methods?

As for users that become blocked after the account gets created that would need further discussion

In T162996#3259875, @Zppix wrote:

Maybe have a bot that looks at special:blockedusers (or whatever the special page is), and block the user on phab if the bot sees an account with the same username (possible even allow the bot to use CU tool and verify its the same user using ip as well to prevent some false-positives)

No need for such wild assumptions.
MediaWiki offers API, no need for "special pages". "Same username" is error-prone and many Phab accounts are linked to their mw.org accounts anyway so information is often already available. No need for checking any IPs either.

Indeed. We show the linked user on the profile, so it's store in some field somewhere

I guess we should probably consider doing similar/same for wikitech to phab too

In T162996#3260256, @Peachey88 wrote:

As for the original question: Shouldn't we be blocking the creation of the account during the OAuth process? compared to do hacky other methods?

FWIW, a blocked user was not able to use OAuth till T156803: Handle blocked users consistently. What we could do is check the blocked field of JWT (I don't remember what that is)

In T162996#3259867, @Reedy wrote:

How's your SQL? ;)

Primest! ;)
[phabricator_user] SELECT user.username, user_externalaccount.accountURI FROM user JOIN user_externalaccount WHERE user_externalaccount.accountType = "mediawiki" AND user.isDisabled = 0 AND user_externalaccount.userPHID = user.phid;
accountType is either mediawiki or ldap.
Output: username is the Phab username. accountURI is like https://www.mediawiki.org/wiki/User:Malyacko.
Strip URL part before colon, then feed those ~10000 accounts into the MediaWiki API, then check for blockexpiry or such in the JSON output, then disable the corresponding Phab account. Basically.

In T162996#3260603, @zhuyifei1999 wrote:

In T162996#3260256, @Peachey88 wrote:

As for the original question: Shouldn't we be blocking the creation of the account during the OAuth process? compared to do hacky other methods?

FWIW, a blocked user was not able to use OAuth till T156803: Handle blocked users consistently. What we could do is check the blocked field of JWT (I don't remember what that is)

That would stop creation by the looks, Although I would vaguely guessing that we don't recheck the OAuth status unless they log out and back in, so we would have to work out something to cover the case were they get blocked after as well.

@mmodell @demon Do you guys have thoughts on this task?

In T162996#3260863, @Peachey88 wrote:

That would stop creation by the looks, Although I would vaguely guessing that we don't recheck the OAuth status unless they log out and back in, so we would have to work out something to cover the case were they get blocked after as well.

Indeed I believe that we only validate the oauth token on login and then the phabricator session lives essentially forever. A cron job that disables phabricator users would take care of the sessions but it might leave a window of time where the user is blocked on wiki and still has an active account / session on phabricator.

...which would still be a way shorter window of time than the current one, if I get it right?

T168142: Cleanup phabricator.wikimedia.org uploaded files, WP zero abuse

After poking at the code for a bit, I came to the following conclusions:

1. It's easy to prevent blocked users from authenticating at all in phabricator. This would also prevent blocked users from creating accounts.
   • To do this, simply add another condition in PhutilMediaWikiAuthAdapter :: decodeAndVerifyJWT(), throwing an exception if $identity->blociked is true.
2. It doesn't look like there is a way to prevent registering without ALSO preventing login. I think it's probably fine though. IMO blocked users should be locked out of phabricator but maybe some of you will disagree with this?

In T162996#3358089, @mmodell wrote:

2. It doesn't look like there is a way to prevent registering without ALSO preventing login. I think it's probably fine though. IMO blocked users should be locked out of phabricator but maybe some of you will disagree with this?

I don't. :) Thanks for D687 (and happy to see it's a short change)!

In T162996#3358089, @mmodell wrote:

After poking at the code for a bit, I came to the following conclusions:

1. It's easy to prevent blocked users from authenticating at all in phabricator. This would also prevent blocked users from creating accounts.
   • To do this, simply add another condition in PhutilMediaWikiAuthAdapter :: decodeAndVerifyJWT(), throwing an exception if $identity->blociked is true.
2. It doesn't look like there is a way to prevent registering without ALSO preventing login. I think it's probably fine though. IMO blocked users should be locked out of phabricator but maybe some of you will disagree with this?

Im guessing users who create an account through wiki tech which uses ldap will be unaffected by this since blocking users wikitech side should prevent users from logging into Phabricator (since it uses ldap)?

That depends - if ldap on wikitech respects blocked status, I have not tested that.

In T162996#3358494, @mmodell wrote:

That depends - if ldap on wikitech respects blocked status, I have not tested that.

AFAIK, not automatically.

The patch to oauth is deployed. I've confirmed that it did not break logins but I haven't tested to be sure that it does block logins for accounts which are blocked.