Allow blocking of global accounts
Open, MediumPublic
Actions

Assigned To

Authored By

	Pathoschild
	Aug 24 2008, 9:45 PM

Description

Global accounts currently cannot be blocked, so that stewards must lock users out of their accounts to stop them. This is very user-unfriendly, as it does not give an error message. From the user's perspective, their session simply disappears and their password no longer works. This makes account locks impossible to appeal or even understand for the vast majority of users, which exacerbates the situation of false-positive or legitimate users.

It would be very beneficial to allow stewards to block accounts, with an appropriate you've-been-blocked message when they try to edit or create/unify local accounts.

Details

Reference: bz15294

	Project	Branch	Lines +/-	Subject
	mediawiki/extensions/GlobalBlocking	master	+1 K -166	Allow blocking global accounts

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Open		None	T19929 CentralAuth account locks should trigger global autoblocks
		Open		Skizzerz	T17294 Allow blocking of global accounts

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

NahidSultan added a subscriber: NahidSultan.Mar 1 2016, 10:19 PM

In T17294#1057094, @Krenair wrote:

If we added the ability to block accounts from Extension:GlobalBlocking, would we also need to add the ability to disable their ability to email and implement global autoblocks for it to be useful?

Yes. Options to remove email access, prevent account creation and autoblock should exist. I am however lowering priority on this. There has been no coding for this in years now, so it's being hardly a 'high' priority for anyone interested in coding. Also, since 90+% of global blocks we perform are on spambots, I'm not that worried about the user-friendlyness.

Since this might require much coding to be a reality, I'd propose to work with what we have now and allow that global locking triggers global autoblocks so we don't have to CU that often (cfr. T19929: CentralAuth account locks should trigger global autoblocks), if possible at all.

Nemo_bis mentioned this in T101615: Create a blacklist of user who can not use Special:GlobalRenameRequest.Apr 3 2016, 9:27 AM

MarcoAurelio removed a subscriber: • wikibugs-l-list.Apr 18 2016, 9:18 AM

Adjusting priority per T19929#2239938

Nemo_bis mentioned this in T19929: CentralAuth account locks should trigger global autoblocks.May 22 2016, 7:04 AM

Adjusting priority to reflect reality. See the last paragraph of T17294#2145002 which should be discussed.

Please avoid messing up with this report. Your comment has no relationship with the status of the report. The paragraph you mention doesn't describe a "reality" in contrast with the priority. Moreover I already addressed it in my comment. Finally, I don't think you have sufficient experience in this component to judge the matter technically.

In T17294#2315909, @Nemo_bis wrote:

The paragraph you mention doesn't describe a "reality" in contrast with the priority.

@Nemo_bis: If you missed the link I pasted, let me quote from it: "Report status and priority fields summarize and reflect reality and do not cause it."
If you plan to work on this task or know someone to work on this task to see progress, or if you have convincing reasons why this task has suddenly become more urgent which justifies increasing priority, please share them with us explicitly.

matej_suchanek updated the task description. (Show Details)May 22 2016, 5:00 PM

@Nemo_bis: You didn't explained why this task is urgent.

Urbanecm added a subscriber: Urbanecm.Jul 13 2016, 10:52 AM

Nemo_bis rescinded a token.Jul 16 2016, 8:00 AM

Nemo_bis awarded a token.

BethNaught added a subscriber: BethNaught.Jan 6 2017, 12:06 PM

MarcoAurelio removed a parent task: T43492: [DO NOT USE] Steward, global sysop and SWMT tasks bugs (tracking) [superseded by #Stewards-and-global-tools].Jan 11 2017, 11:39 PM

MarcoAurelio added a project: Epic.Jan 22 2017, 3:14 PM

MarcoAurelio added a project: Goal.

Liuxinyu970226 mentioned this in T106687: Flow does not support varying language of parts of content based on user interface language (e.g. {{int:}}).Jan 22 2017, 3:20 PM

EddieGP awarded a token.Feb 15 2017, 6:22 PM

Matanya moved this task from Untriaged to High priority on the Stewards-and-global-tools board.Apr 19 2017, 8:40 PM

TheDragonFire added a subscriber: TheDragonFire.Jun 24 2017, 4:47 AM

Several things have changed since this task was first created. We should evaluate if this task can be actioned with how things work now. I am on the opinion that global lock is not that bad. At least it does the job and 90% of the accounts we lock are spambots which won't care about "you've been blocked" messages. For the rest maybe adding a "your account has been globally locked" message could be useful instead of a "wrong password" message. In any case globally locking an account should trigger a global IP autoblock in the same way a local block does (T19929). T158473 would also be a good adittion (not commenting the details as the task is private).

I think a "your account has been locked" msg is already implemented?

In T17294#3377124, @Luke081515 wrote:

I think a "your account has been locked" msg is already implemented?

By a quick look I can't find it at translatewiki.net so I don't think so.

There already are such messages; https://www.mediawiki.org/wiki/MediaWiki:Centralauth-error-locked and https://www.mediawiki.org/w/index.php?title=MediaWiki:Centralauth-login-error-locked&action=edit&redlink=1

• TBolliger added a project: Anti-Harassment.Jul 28 2017, 9:27 PM

• TBolliger added a subscriber: • TBolliger.

• TBolliger moved this task from Untriaged to Product/Tech backlog on the Anti-Harassment board.Aug 16 2017, 6:11 PM

Sau226 added a subscriber: Sau226.Oct 14 2017, 4:47 AM

Liuxinyu970226 awarded a token.Nov 14 2017, 12:52 AM

Vituzzu awarded a token.Nov 23 2017, 3:24 PM

• TBolliger added a project: MediaWiki-User-management.Jan 12 2018, 11:04 PM

• TBolliger moved this task from Backlog to User blocking on the MediaWiki-User-management board.

Honischboy awarded a token.Feb 15 2018, 6:50 AM

Restricted Application added a subscriber: MGChecker. · View Herald TranscriptFeb 15 2018, 6:50 AM

Honischboy added a subscriber: Honischboy.Feb 15 2018, 6:58 AM

DonTrung added a subscriber: DonTrung.Apr 14 2018, 11:46 AM

Nemo_bis mentioned this in T194605: BotPassword can bypass CentralAuth's account lock (CVE-2018-0505).May 14 2018, 6:59 PM

Bawolff added a subscriber: Bawolff.May 14 2018, 10:41 PM

alaa added a subscriber: alaa.Jun 10 2018, 1:42 PM

• TBolliger removed a project: Anti-Harassment.Jun 11 2018, 9:11 PM

I think that regardless of how effective CentralAuth's global locks are, implementing something in the GlobalBlocking extension that allows users to be blocked would be worthwhile, especially for independent wikis who don't utilize CentralAuth.

You know, I was thinking that this task was about enabling such a functionality in Wikimedia but actually the GlobalBlocking function does not allow account blocks if https://www.mediawiki.org/wiki/Extension:GlobalBlocking is accurate. Maybe this task needs to be split?

Rxy added a subscriber: Rxy.Nov 17 2018, 2:45 AM

94rain added a subscriber: 94rain.Jun 2 2019, 12:30 AM

ToBeFree awarded a token.Aug 21 2019, 5:31 PM

So is this a feature for the GlobalBlocking extension or for CentralAuth? Could the GlobalBlocking extension not be used?

No, GlobalBlocking is only about IPs.

DannyS712 edited projects, added MediaWiki-Blocks; removed MediaWiki-User-management.Apr 25 2020, 12:13 AM

Restricted Application added a project: MediaWiki-User-management. · View Herald TranscriptApr 25 2020, 12:13 AM

JJMC89 removed a project: MediaWiki-User-management.Apr 25 2020, 6:39 PM

• A1N2D3R4E5W6 added a subscriber: • A1N2D3R4E5W6.Jun 1 2020, 12:51 PM

This comment was removed by Aklapper.

• A1N2D3R4E5W6 added a comment.Jun 1 2020, 8:28 PM

This comment was removed by Aklapper.