Page MenuHomePhabricator

Disallow blocked users on mediawiki to create accounts on phabricator
Closed, ResolvedPublic

Description

We just had a spammer on Phabricator, User Since Fri, Apr 14, 2:02 PM (10 m, 29 s)

But they were blocked on mediawiki.org hours ago...

(change visibility) 06:59, 14 April 2017 Mainframe98 (talk | contribs | block) blocked Supriyanto maftuh (talk | contribs) with an expiry time of indefinite (account creation disabled) (Spam/advertising-only account) (unblock | change block)

Event Timeline

Reedy created this task.Apr 14 2017, 1:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 14 2017, 1:16 PM
demon triaged this task as Normal priority.Apr 19 2017, 6:05 PM
demon added a subscriber: demon.
Reedy added a comment.May 12 2017, 2:13 PM

Offshoot of this... https://phabricator.wikimedia.org/p/Fiona1213/ was blocked onwiki back in January https://www.mediawiki.org/w/index.php?title=User:Fiona1213 but had created a phabricator account before that

Then today it started changing tasks that looked suspicious, so I disabled the account...

Thanks. Been looking for a quick way to check existing accounts but https://phabricator.wikimedia.org/conduit/method/user.search/ does not support providing a list of associated "MediaWiki User" accounts, and screenscraping Phab user pages does not sound feasible. :/

greg added a subscriber: greg.May 12 2017, 4:56 PM

(To answer the task's title question: No.)

Reedy added a comment.May 12 2017, 9:43 PM

(To answer the task's title question: No.)

Heh.

Of course, we have two levels of this:

  • If a user is blocked (on mediawiki wiki at least/globally), they shouldn't then be able to create accounts on phabricator
  • If a user already had an account, and then they get globally blocked/blocked on mediawiki wiki, they should then be disabled on phabricator

Plus, then for the latter, if/when they are unblocked, the phab account could potentially be unblocked then....

So we need some sort of synchronisation one way or another... Potentially? On a cronjob..

Thanks. Been looking for a quick way to check existing accounts but https://phabricator.wikimedia.org/conduit/method/user.search/ does not support providing a list of associated "MediaWiki User" accounts, and screenscraping Phab user pages does not sound feasible. :/

How's your SQL? ;) I'm not familiar with the phabricator schema, but shouldn't be too hard with access to either the labs instance, or more preferably, productions mysql slave.

I don't mind having a look at the hackathon, and we can probably get opsen to give me access easy enough to poke around further

I wonder if we could use conduit to do it instead.

Zppix added a subscriber: Zppix.May 12 2017, 9:48 PM

Maybe have a bot that looks at special:blockedusers (or whatever the special page is), and block the user on phab if the bot sees an account with the same username (possible even allow the bot to use CU tool and verify its the same user using ip as well to prevent some false-positives)

As for the original question: Shouldn't we be blocking the creation of the account during the OAuth process? compared to do hacky other methods?

As for users that become blocked after the account gets created that would need further discussion

Maybe have a bot that looks at special:blockedusers (or whatever the special page is), and block the user on phab if the bot sees an account with the same username (possible even allow the bot to use CU tool and verify its the same user using ip as well to prevent some false-positives)

No need for such wild assumptions.
MediaWiki offers API, no need for "special pages". "Same username" is error-prone and many Phab accounts are linked to their mw.org accounts anyway so information is often already available. No need for checking any IPs either.

Reedy added a comment.May 13 2017, 4:25 PM

Indeed. We show the linked user on the profile, so it's store in some field somewhere

I guess we should probably consider doing similar/same for wikitech to phab too

As for the original question: Shouldn't we be blocking the creation of the account during the OAuth process? compared to do hacky other methods?

FWIW, a blocked user was not able to use OAuth till T156803: Handle blocked users consistently. What we could do is check the blocked field of JWT (I don't remember what that is)

Aklapper added a comment.EditedMay 13 2017, 7:40 PM

How's your SQL? ;)

Primest! ;)
[phabricator_user] SELECT user.username, user_externalaccount.accountURI FROM user JOIN user_externalaccount WHERE user_externalaccount.accountType = "mediawiki" AND user.isDisabled = 0 AND user_externalaccount.userPHID = user.phid;
accountType is either mediawiki or ldap.
Output: username is the Phab username. accountURI is like https://www.mediawiki.org/wiki/User:Malyacko.
Strip URL part before colon, then feed those ~10000 accounts into the MediaWiki API, then check for blockexpiry or such in the JSON output, then disable the corresponding Phab account. Basically.

As for the original question: Shouldn't we be blocking the creation of the account during the OAuth process? compared to do hacky other methods?

FWIW, a blocked user was not able to use OAuth till T156803: Handle blocked users consistently. What we could do is check the blocked field of JWT (I don't remember what that is)

That would stop creation by the looks, Although I would vaguely guessing that we don't recheck the OAuth status unless they log out and back in, so we would have to work out something to cover the case were they get blocked after as well.

@mmodell @demon Do you guys have thoughts on this task?

That would stop creation by the looks, Although I would vaguely guessing that we don't recheck the OAuth status unless they log out and back in, so we would have to work out something to cover the case were they get blocked after as well.

Indeed I believe that we only validate the oauth token on login and then the phabricator session lives essentially forever. A cron job that disables phabricator users would take care of the sessions but it might leave a window of time where the user is blocked on wiki and still has an active account / session on phabricator.

...which would still be a way shorter window of time than the current one, if I get it right?

Aklapper renamed this task from Should we allow blocked users on mediawiki to create accounts on phabricator to Disallow blocked users on mediawiki to create accounts on phabricator.Jun 17 2017, 10:57 PM

After poking at the code for a bit, I came to the following conclusions:

  1. It's easy to prevent blocked users from authenticating at all in phabricator. This would also prevent blocked users from creating accounts.
  2. It doesn't look like there is a way to prevent registering without ALSO preventing login. I think it's probably fine though. IMO blocked users should be locked out of phabricator but maybe some of you will disagree with this?
  1. It doesn't look like there is a way to prevent registering without ALSO preventing login. I think it's probably fine though. IMO blocked users should be locked out of phabricator but maybe some of you will disagree with this?

I don't. :) Thanks for D687 (and happy to see it's a short change)!

After poking at the code for a bit, I came to the following conclusions:

  1. It's easy to prevent blocked users from authenticating at all in phabricator. This would also prevent blocked users from creating accounts.
  2. It doesn't look like there is a way to prevent registering without ALSO preventing login. I think it's probably fine though. IMO blocked users should be locked out of phabricator but maybe some of you will disagree with this?

Im guessing users who create an account through wiki tech which uses ldap will be unaffected by this since blocking users wikitech side should prevent users from logging into Phabricator (since it uses ldap)?

That depends - if ldap on wikitech respects blocked status, I have not tested that.

That depends - if ldap on wikitech respects blocked status, I have not tested that.

AFAIK, not automatically.

mmodell claimed this task.Jun 21 2017, 4:49 PM

The patch to oauth is deployed. I've confirmed that it did not break logins but I haven't tested to be sure that it does block logins for accounts which are blocked.

mmodell closed this task as Resolved.Jun 23 2017, 4:25 AM

Created a separate task to address wikitech. This task is now resolvable.