Page MenuHomePhabricator

Make users without 2FA setup not have checkuser right regardless of their groups
Open, Needs TriagePublic

Description

It was recently suggested on #wikimedia-commons that users without 2FA enabled should automatically have checkuser (And maybe oversight, and eventually maybe admin) rights disabled, and then automatically enabled once they re-enable 2FA.

We should consider looking into this.

See the (private) task T197500 for a list of users this would affect.

Event Timeline

@Bawolff from what I understand, the way CheckUser works right now is it calls checkPermissions which is inherited from SpecialPage. I am thinking we can override this method in which we first call the parent function, and then call a hook (and I need your suggestion for its name, does onCUCheckPermission sound good?) to allow other extensions to control whether the method results in a pass or a fail situation. Finally, we can modify MediaWiki-extensions-OATHAuth code to return a pass if the user has 2FA enabled and fail otherwise.

I think the limitation here is what @Reedy mentioned in T150562 i.e. the communication piece will be messy (as in, the user will get a generic permission error, not one that specifically says "you need to enable 2FA"). Unless there is a way to avoid that which I am not able to think of.

@Bawolff from what I understand, the way CheckUser works right now is it calls checkPermissions which is inherited from SpecialPage. I am thinking we can override this method in which we first call the parent function, and then call a hook (and I need your suggestion for its name, does onCUCheckPermission sound good?) to allow other extensions to control whether the method results in a pass or a fail situation. Finally, we can modify MediaWiki-extensions-OATHAuth code to return a pass if the user has 2FA enabled and fail otherwise.

I think the limitation here is what @Reedy mentioned in T150562 i.e. the communication piece will be messy (as in, the user will get a generic permission error, not one that specifically says "you need to enable 2FA"). Unless there is a way to avoid that which I am not able to think of.

If we do do this bug - I think the 2FA system should hook into mediawikis auth system directly - not try and override how checkuser works. E.g. use the userCan hook or UserGetRights hook or some similar hook.

Vvjjkkii renamed this task from Make users without 2FA setup not have checkuser right regardless of their groups to 6saaaaaaaa.Jul 1 2018, 1:03 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: MarcoAurelio, Huji, Aklapper.
CommunityTechBot renamed this task from 6saaaaaaaa to Make users without 2FA setup not have checkuser right regardless of their groups.Jul 2 2018, 4:54 AM
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot updated the task description. (Show Details)

Change 450292 had a related patch set uploaded (by MR70; owner: MR70):
[mediawiki/extensions/CheckUser@master] Bug: T197501

https://gerrit.wikimedia.org/r/450292

Change 450293 had a related patch set uploaded (by MR70; owner: MR70):
[mediawiki/core@master] Bug: T197501

https://gerrit.wikimedia.org/r/450293

This comment was removed by MR70.

It was pointed out to me that this might not be the best idea, because if an attacker compromises an account that has temporarily removed 2FA, the attacker can just enroll into 2FA to get back access.