Page MenuHomePhabricator

Block Special:OAuth/authorize for WP Zero users
Closed, DeclinedPublic


Is really needed for T168142: Cleanup uploaded files, WP zero abuse.

We can create a blacklist/whitelist of OAuth clients apps, later.

Event Timeline

This request doesn't seem especially legit. You "just" want to block them from using Phabricator, don't you?

It's not acceptable to break core functionality of Wikimedia (content) wikis for an entire class of users just to combat a minority of abusers. Targeted blocks must be used instead, see T168142#3357904. Let's close this one to avoid having a hundred parallel discussions.

Thanks for your comment, I agree with your argument.
But in an other hand I think that we need to be able to do this block, if it's needed, in a larger vision than phabricator. Perhaps we should work on the software to be able to do this in case of emergency. Curently as I know nothing is designed to do this. Do you think that it's necessary ? Or it's a spent of time ?

Even apart from collateral damage, this does not seem particularly useful. There is no such thing as a Zero user; only a Zero request. Users could easily do the authorization via some proxy or different provider and do the file uploads via Zero. In the case of Phabricator, OAuth is only used to log you in, anyway (and it's not even the only way to do that); actual usage of Phabricator does not depend on OAuth in any way.

Also, the point of the Zero piracy is to allow users to download pirated material free of charge. Uploading it free of charge is convenient but I doubt the pirates really depend on it as it is easy to make money out of pirate sites. And public files can be downloaded from Phabricator without logging in, so the only part of the workflow that requires Zero does not involve login at all.