Page MenuHomePhabricator

Remove approval requirement for new accounts, or patch everything in Phabricator to allow unapproved users to be treated as logged out for permissions purposes
Closed, ResolvedPublic

Description

Steps to reproduce:

Expected behavior: should be able to see the page.

Actual behavior: error-message about the account not yet being approved.

Workaround: log out of https://phabricator.wikimedia.org/ until the account has been approved.

Upstream: https://secure.phabricator.com/T13154

Event Timeline

Ruakh created this task.Jun 17 2018, 7:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 17 2018, 7:16 PM
MZMcBride triaged this task as High priority.Jun 17 2018, 10:50 PM
MZMcBride added a subscriber: MZMcBride.
Aklapper raised the priority of this task from High to Needs Triage.Jun 17 2018, 11:07 PM

@MZMcBride: Resetting priority - if you think this is high priority please explain why.

MZMcBride triaged this task as High priority.Jun 18 2018, 3:11 AM

An issue that impairs the ability of a user to perform basic functions such as reading a task is a high priority to get resolved. Can you explain why you reset the priority here?

I tried to create a test account just now and a verified e-mail address is required. Since when?

Am I understanding this issue correctly? The current behavior when a new user registers a Wikimedia Phabricator account to file a bug or report some kind of issue is presenting them with this screen?

I'm really struggling to see how this behavior is appropriate or acceptable.

@mmodell enabled auth.require-approval two days ago, presumably due to T162026, which is a general task discussing phabricator vandalism, which was escalated to UBN three days ago due to a vandalism spree.

Requiring approval is justified, blocking the ability to read until they're approved is not.

Aklapper raised the priority of this task from High to Needs Triage.Jun 18 2018, 11:01 AM

The number of affected user account is very small and the account approval queue is processed. So I'm going to reset the task priority.

Aklapper updated the task description. (Show Details)
Aklapper moved this task from Backlog to Reported Upstream on the Upstream board.
Aklapper moved this task from Backlog to Upstreamed on the Phabricator (Upstream) board.
Krenair renamed this task from Cannot view pages when logged into Phabricator under a not-yet-approved account. to Remove approval requirement for new accounts, or patch everything in Phabricator to allow unapproved users to be treated as logged out for permissions purposes.Jun 19 2018, 8:36 PM
Krenair edited projects, added Phabricator; removed Upstream, Phabricator (Upstream).
Aklapper added a comment.EditedJun 19 2018, 8:43 PM

Makes sense; quoting from upstream:

But we don't have infinite resources and this affects only affects a small portion of users (users on public installs with approval required), usually fairly briefly (only until their account is approved), so it's hard to imagine this change ever making it high enough on the priority list to get implementation in the upstream.

Upstream also implies that this requires 107 places in the code base to get checked and potentially updated. I do not think that we should spend time on that (and maintaining our custom diff) either.

Proposing to close this task as declined.

Edit: Had not seen the task summary change. My last line refers to "patch everything in Phabricator to allow unapproved users to be treated as logged out for permissions purposes"

Yeah. If that part is declined then I don't think wontfixing this is an option, the approval requirement must be removed.

https://secure.phabricator.com/T13154#239449 offers code that we could consider maintaining downstream.

Also:

Some similar change can probably be made in the translation.override config setting without actually touching the code.

Can we set up a temporary bug tracker that users can be redirected to until this is fixed? Unless I'm misunderstanding the summary here, Phabricator is completely non-functional for all but established users because of this.

Can the error message be changed to advise users to log out to see the pages?

Frankly, if the entire bug tracker can just go down like this for over a week, is it okay to be using it in the first place?

Nemo_bis triaged this task as High priority.Jun 25 2018, 5:23 AM
Nemo_bis added a subscriber: Nemo_bis.

The reason why this is high priority is https://lists.wikimedia.org/pipermail/wikitech-l/2018-June/090220.html (the registration restrictions are "temporary" and supposed to be reverted as soon as possible).

Change 441806 had a related patch set uploaded (by Aklapper; owner: Aklapper):
[operations/puppet@production] Phab: Explain to not-yet-approved users how they can access tasks

https://gerrit.wikimedia.org/r/441806

Can we set up a temporary bug tracker that users can be redirected to until this is fixed?

You are free to fork anything.

Can the error message be changed to advise users to log out to see the pages?

Yes, see the previous comment.

Change 441806 merged by Rush:
[operations/puppet@production] Phab: Explain to not-yet-approved users how they can access tasks

https://gerrit.wikimedia.org/r/441806

Change 441806 had a related patch set uploaded (by Aklapper; owner: Aklapper):
[operations/puppet@production] Phab: Explain to not-yet-approved users how they can access tasks
https://gerrit.wikimedia.org/r/441806

https://gerrit.wikimedia.org/r/c/operations/puppet/+/441904

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, (/etc/puppet/modules/phabricator/data/fixed_settings.yaml): did not find expected key while parsing a block mapping at line 221 column 3 at /etc/puppet/modules/phabricator/manifests/init.pp:79:23 on node phab1001.eqiad.wmnet
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
tstarling closed this task as Resolved.Jun 27 2018, 6:01 AM
tstarling claimed this task.

I turned off the account approval queue, replacing it with range blocks on mediawiki.org and wikitech.wikimedia.org. See T162026#4318141 for (private) details.

Vvjjkkii renamed this task from Remove approval requirement for new accounts, or patch everything in Phabricator to allow unapproved users to be treated as logged out for permissions purposes to traaaaaaaa.Jul 1 2018, 1:03 AM
Vvjjkkii reopened this task as Open.
Vvjjkkii removed tstarling as the assignee of this task.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: gerritbot, Aklapper.
Joe renamed this task from traaaaaaaa to Remove approval requirement for new accounts, or patch everything in Phabricator to allow unapproved users to be treated as logged out for permissions purposes .Jul 1 2018, 6:08 AM
Joe closed this task as Resolved.
Joe updated the task description. (Show Details)

Has the account approval queue been re-enabled? From the #wikimedia IRC channel this evening:

[20:23] <bernard_> can someone cancel my phab approval
[20:23] <bernard_> it doesn't let me read anything
[20:51] <bernard_> nevermind. logging out does the trick
MZMcBride reopened this task as Open.Jul 23 2018, 4:36 AM

Another report in the MediaWiki-General IRC channel just now:

[00:32] <okdana> is there something special i need to do to open an account? it says an admin has to approve me
[00:32] <okdana> is it just slow because it's the week end?

I'm re-opening this task as the issue is not resolved.

Aklapper removed tstarling as the assignee of this task.Jul 27 2018, 6:42 PM

Has the account approval queue been re-enabled?

Yes: https://lists.wikimedia.org/pipermail/wikitech-l/2018-July/090269.html

Way forward is still being discussed.

Has the account approval queue been re-enabled?

Yes: https://lists.wikimedia.org/pipermail/wikitech-l/2018-July/090269.html
Way forward is still being discussed.

Is it possible to have this information present somewhere ? On a mw.org page ?

greg added a subscriber: greg.Aug 3 2018, 8:48 PM

Is it possible to have this information present somewhere ? On a mw.org page ?

Summary: Once we have the necessary tooling in place (namely a vandalism detection system and reversion) we will turn account approval off.

mmodell closed this task as Resolved.Aug 9 2018, 2:09 AM
mmodell claimed this task.