Page MenuHomePhabricator

Make users without 2FA setup not have checkuser right regardless of their groups
Open, Needs TriagePublic

Description

It was recently suggested on #wikimedia-commons that users without 2FA enabled should automatically have checkuser (And maybe oversight, and eventually maybe admin) rights disabled, and then automatically enabled once they re-enable 2FA.

We should consider looking into this.

See the (private) task T197500 for a list of users this would affect.

Event Timeline

Bawolff created this task.Jun 15 2018, 10:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 15 2018, 10:44 PM
Bawolff updated the task description. (Show Details)Jun 15 2018, 10:45 PM
Huji added a subscriber: Huji.EditedJun 15 2018, 11:51 PM

@Bawolff from what I understand, the way CheckUser works right now is it calls checkPermissions which is inherited from SpecialPage. I am thinking we can override this method in which we first call the parent function, and then call a hook (and I need your suggestion for its name, does onCUCheckPermission sound good?) to allow other extensions to control whether the method results in a pass or a fail situation. Finally, we can modify MediaWiki-extensions-OATHAuth code to return a pass if the user has 2FA enabled and fail otherwise.

I think the limitation here is what @Reedy mentioned in T150562 i.e. the communication piece will be messy (as in, the user will get a generic permission error, not one that specifically says "you need to enable 2FA"). Unless there is a way to avoid that which I am not able to think of.

1997kB added a subscriber: 1997kB.Jun 16 2018, 2:21 AM

@Bawolff from what I understand, the way CheckUser works right now is it calls checkPermissions which is inherited from SpecialPage. I am thinking we can override this method in which we first call the parent function, and then call a hook (and I need your suggestion for its name, does onCUCheckPermission sound good?) to allow other extensions to control whether the method results in a pass or a fail situation. Finally, we can modify MediaWiki-extensions-OATHAuth code to return a pass if the user has 2FA enabled and fail otherwise.

I think the limitation here is what @Reedy mentioned in T150562 i.e. the communication piece will be messy (as in, the user will get a generic permission error, not one that specifically says "you need to enable 2FA"). Unless there is a way to avoid that which I am not able to think of.

If we do do this bug - I think the 2FA system should hook into mediawikis auth system directly - not try and override how checkuser works. E.g. use the userCan hook or UserGetRights hook or some similar hook.

Vvjjkkii renamed this task from Make users without 2FA setup not have checkuser right regardless of their groups to 6saaaaaaaa.Jul 1 2018, 1:03 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: MarcoAurelio, Huji, Aklapper.
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot renamed this task from 6saaaaaaaa to Make users without 2FA setup not have checkuser right regardless of their groups.

Change 450292 had a related patch set uploaded (by MR70; owner: MR70):
[mediawiki/extensions/CheckUser@master] Bug: T197501

https://gerrit.wikimedia.org/r/450292

Change 450293 had a related patch set uploaded (by MR70; owner: MR70):
[mediawiki/core@master] Bug: T197501

https://gerrit.wikimedia.org/r/450293

RP88 added a subscriber: RP88.Aug 20 2018, 5:04 PM
This comment was removed by MR70.
AGK added a subscriber: AGK.Oct 23 2018, 7:44 AM

It was pointed out to me that this might not be the best idea, because if an attacker compromises an account that has temporarily removed 2FA, the attacker can just enroll into 2FA to get back access.

Meno25 added a subscriber: Meno25.Dec 9 2018, 3:45 AM
1997kB removed a subscriber: 1997kB.Jan 25 2019, 3:09 PM