Page MenuHomePhabricator

Allow blocking of global accounts
Open, MediumPublic

Assigned To
None
Authored By
Pathoschild
Aug 24 2008, 9:45 PM
Tokens
"Hungry Hippo" token, awarded by laodongvieclam."Like" token, awarded by ToBeFree."Love" token, awarded by Honischboy."Like" token, awarded by Vituzzu."Like" token, awarded by Liuxinyu970226."Like" token, awarded by EddieGP."Doubloon" token, awarded by Nemo_bis."Like" token, awarded by TerraCodes."Like" token, awarded by Luke081515.

Description

Global accounts currently cannot be blocked, so that stewards must lock users out of their accounts to stop them. This is very user-unfriendly, as it does not give an error message. From the user's perspective, their session simply disappears and their password no longer works. This makes account locks impossible to appeal or even understand for the vast majority of users, which exacerbates the situation of false-positive or legitimate users.

It would be very beneficial to allow stewards to block accounts, with an appropriate you've-been-blocked message when they try to edit or create/unify local accounts.

Details

Reference
bz15294

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

dyang304 wrote:

Instead of "Incorrect password entered. Please try again", I'm thinking of two preferable messages:

  1. "Unable to log you in because you account has been locked out, please contact stewards at [[m:Steward requests/Global]] and request unlocking. "
  1. "The specified account is currently locked out and cannot be logged in to. To recover your ability to log in, please make an unlocking request for your account at [[m:Steward requests/Global]]. "

Note: All wiki markup will be used.

Also, as Nemo pointed out, maybe we could enable block settings for global Blocks of accounts, maybe like talk page editing, so that local sysops can locally disable global blocks, e-mail access, and account creation status (enabled or disabled).

If we added the ability to block accounts from Extension:GlobalBlocking, would we also need to add the ability to disable their ability to email and implement global autoblocks for it to be useful?

If we added the ability to block accounts from Extension:GlobalBlocking, would we also need to add the ability to disable their ability to email and implement global autoblocks for it to be useful?

There are separate bugs for that already, IIRC.

MarcoAurelio lowered the priority of this task from High to Low.Mar 23 2016, 5:23 PM

If we added the ability to block accounts from Extension:GlobalBlocking, would we also need to add the ability to disable their ability to email and implement global autoblocks for it to be useful?

Yes. Options to remove email access, prevent account creation and autoblock should exist. I am however lowering priority on this. There has been no coding for this in years now, so it's being hardly a 'high' priority for anyone interested in coding. Also, since 90+% of global blocks we perform are on spambots, I'm not that worried about the user-friendlyness.

Since this might require much coding to be a reality, I'd propose to work with what we have now and allow that global locking triggers global autoblocks so we don't have to CU that often (cfr. T19929: CentralAuth account locks should trigger global autoblocks), if possible at all.

Aklapper lowered the priority of this task from High to Medium.May 22 2016, 11:07 AM

Adjusting priority to reflect reality. See the last paragraph of T17294#2145002 which should be discussed.

Nemo_bis raised the priority of this task from Medium to High.May 22 2016, 11:30 AM

Please avoid messing up with this report. Your comment has no relationship with the status of the report. The paragraph you mention doesn't describe a "reality" in contrast with the priority. Moreover I already addressed it in my comment. Finally, I don't think you have sufficient experience in this component to judge the matter technically.

The paragraph you mention doesn't describe a "reality" in contrast with the priority.

@Nemo_bis: If you missed the link I pasted, let me quote from it: "Report status and priority fields summarize and reflect reality and do not cause it."
If you plan to work on this task or know someone to work on this task to see progress, or if you have convincing reasons why this task has suddenly become more urgent which justifies increasing priority, please share them with us explicitly.

Poyekhali lowered the priority of this task from High to Medium.May 30 2016, 4:27 AM
Poyekhali added a subscriber: Poyekhali.

@Nemo_bis: You didn't explained why this task is urgent.

Several things have changed since this task was first created. We should evaluate if this task can be actioned with how things work now. I am on the opinion that global lock is not that bad. At least it does the job and 90% of the accounts we lock are spambots which won't care about "you've been blocked" messages. For the rest maybe adding a "your account has been globally locked" message could be useful instead of a "wrong password" message. In any case globally locking an account should trigger a global IP autoblock in the same way a local block does (T19929). T158473 would also be a good adittion (not commenting the details as the task is private).

I think a "your account has been locked" msg is already implemented?

I think a "your account has been locked" msg is already implemented?

By a quick look I can't find it at translatewiki.net so I don't think so.

I think that regardless of how effective CentralAuth's global locks are, implementing something in the GlobalBlocking extension that allows users to be blocked would be worthwhile, especially for independent wikis who don't utilize CentralAuth.

You know, I was thinking that this task was about enabling such a functionality in Wikimedia but actually the GlobalBlocking function does not allow account blocks if https://www.mediawiki.org/wiki/Extension:GlobalBlocking is accurate. Maybe this task needs to be split?

So is this a feature for the GlobalBlocking extension or for CentralAuth? Could the GlobalBlocking extension not be used?

No, GlobalBlocking is only about IPs.

Jace338 rescinded a token.
Jace338 added a subscriber: Jace338.