Page MenuHomePhabricator
Create Task
Maniphest T168170

Block Special:OAuth/authorize for WP Zero users
Closed, DeclinedPublic
Actions

Description

Is really needed for T168142: Cleanup phabricator.wikimedia.org uploaded files, WP zero abuse.

We can create a blacklist/whitelist of OAuth clients apps, later.

Related Objects
Search...

Event Timeline

Framawiki created this task.Jun 17 2017, 6:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 17 2017, 6:03 PM
Framawiki created subtask T168171: Add a Hook in OAuth extension in handleAuthorizationForm().Jun 17 2017, 6:05 PM
Framawiki mentioned this in T168142: Cleanup phabricator.wikimedia.org uploaded files, WP zero abuse.Jun 17 2017, 6:10 PM
Framawiki created subtask T168172: Add in WikimediaEvents extension a blocker for WP Zero by using Hook in OAuth extension.Jun 17 2017, 6:14 PM

Related ? T131934: Tool labs tools should have a method of identifying Zero traffic

Framawiki added a project: Wikimedia-Site-requests.Jun 17 2017, 6:22 PM
Framawiki updated the task description. (Show Details)
Restricted Application added a subscriber: Dereckson. · View Herald TranscriptJun 17 2017, 6:22 PM
Nemo_bis subscribed.Jun 17 2017, 7:15 PM

This request doesn't seem especially legit. You "just" want to block them from using Phabricator, don't you?

Nemo_bis closed this task as Declined.Jun 17 2017, 9:04 PM

It's not acceptable to break core functionality of Wikimedia (content) wikis for an entire class of users just to combat a minority of abusers. Targeted blocks must be used instead, see T168142#3357904. Let's close this one to avoid having a hundred parallel discussions.

Framawiki added a comment.Jun 17 2017, 9:22 PM

Thanks for your comment, I agree with your argument.
But in an other hand I think that we need to be able to do this block, if it's needed, in a larger vision than phabricator. Perhaps we should work on the software to be able to do this in case of emergency. Curently as I know nothing is designed to do this. Do you think that it's necessary ? Or it's a spent of time ?

Tgr subscribed.Jun 18 2017, 9:34 AM

Even apart from collateral damage, this does not seem particularly useful. There is no such thing as a Zero user; only a Zero request. Users could easily do the authorization via some proxy or different provider and do the file uploads via Zero. In the case of Phabricator, OAuth is only used to log you in, anyway (and it's not even the only way to do that); actual usage of Phabricator does not depend on OAuth in any way.

Also, the point of the Zero piracy is to allow users to download pirated material free of charge. Uploading it free of charge is convenient but I doubt the pirates really depend on it as it is easy to make money out of pirate sites. And public files can be downloaded from Phabricator without logging in, so the only part of the workflow that requires Zero does not involve login at all.

Tgr closed subtask T168172: Add in WikimediaEvents extension a blocker for WP Zero by using Hook in OAuth extension as Declined.Jun 18 2017, 9:35 AM
Tgr closed subtask T168171: Add a Hook in OAuth extension in handleAuthorizationForm() as Declined.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL