Page MenuHomePhabricator
Create Task
Maniphest T212720

System users should be in a dedicated user group
Closed, DeclinedPublic
Actions

Description

Currently there's no reliable way to identify system users, both backend and frontend. Copying a comment from @Tgr in https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/476492/, we could introduce a new user group which is automatically assigned inside User::newSystemUser and cannot be removed or assigned otherwise. This way, we'd have two benefits:

  • Users will identify system users at a glance via user groups
  • We could have a new method, User::isSystemUser, which would simply check for the group

Details

SubjectRepoBranchLines +/-
Add a new user group exclusive to system usersmediawiki/coremaster+31 -4
Customize query in gerrit

Related Objects

Event Timeline

Daimona created this task.Dec 31 2018, 9:34 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 31 2018, 9:34 AM
Daimona moved this task from Backlog to Other on the MediaWiki-User-management board.Dec 31 2018, 9:34 AM
Daimona moved this task from Backlog to Next on the User-Daimona board.
gerritbot subscribed.Dec 31 2018, 11:16 AM

Change 481601 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/core@master] Add a new user group exclusive to system users

https://gerrit.wikimedia.org/r/481601

gerritbot added a project: Patch-For-Review.Dec 31 2018, 11:16 AM
Daimona claimed this task.Dec 31 2018, 11:27 AM
Daimona moved this task from Next to Under review on the User-Daimona board.
Xaosflux subscribed.Jan 2 2019, 3:33 PM
Daimona mentioned this in T212268: Make the abusefilter-blocker user not be a sysop.Jan 3 2019, 2:43 PM
Nirmos subscribed.Jan 3 2019, 11:15 PM
Daimona mentioned this in T209565: Dry run for normalizeThrottleParameters.php.Jan 4 2019, 1:50 PM
Daimona mentioned this in T160666: AbuseFilter should use the same account name on all WMF projects.Jan 7 2019, 6:53 PM
MGChecker subscribed.Jan 8 2019, 5:23 AM
MGChecker added a comment.Jan 8 2019, 5:33 AM

While I read the code in a way that you shouldn't be able to set this permission with the userights permission (because of the way User->getAllGroups works), is this displayed on ListGroupRights correctly? It might be ignored there as well an could look weird with no permissions assigned.

Daimona added a comment.Jan 8 2019, 9:57 AM

@MGChecker Since the group doesn't appear in any global, ListGroupRights simply skips it. In fact, everything skips it and of course cannot be assigned. My only concern is that Special:ListUsers skips it as well. I guess a cleaner solution would be to add a new global to hold this kind of groups (or just hardcode this group as the only "special" one), and use it where needed (e.g. on ListUsers).

Daimona added a comment.Jan 9 2019, 3:16 PM

I added 'systemuser' to wgImplicitGroups. This should be saner, although it really prevents this group to be shown e.g. on ListUsers. I think this should be fine for now. If we'll find out that we actually want this group to be displayed, there's still time to do it.

Tgr added a comment.Jan 9 2019, 6:28 PM

What happens if someone does a rights change on a system user? If it's marked an implicit group it will probably get lost. Or is that Don't Do That Then territory?

Tgr added a comment.Jan 9 2019, 6:31 PM

Never mind, $wgImplicitGroups doesn't do anything like that. I was probably confusing implicit groups with effective groups but they are not necessarily the same.

Daimona added a comment.Jan 9 2019, 6:38 PM

Indeed. It's impossible to change anything related to this group (assigned rights, assign or remove the group...).

Tgr mentioned this in T214722: Introduce global system users.Jan 25 2019, 8:16 PM
gerritbot added a comment.Mar 22 2019, 3:09 PM

Change 481601 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/core@master] Add a new user group exclusive to system users

https://gerrit.wikimedia.org/r/481601

Meno25 subscribed.Apr 14 2019, 7:13 PM
DannyS712 subscribed.Jun 24 2019, 5:59 AM
DannyS712 added a comment.Nov 13 2019, 8:45 PM

"Currently there's no reliable way to identify system users, both backend and frontend" - in the context of T237356: Don't allow thanking system users, https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/548919/ introduces a separate User::isSystemUser that checks based on the current logic:

User:isSystemUser
/**
 * @return bool Whether this user is a system user
 * @since 1.35
 */
public function isSystemUser() {
	// A user is considered to exist as a non-system user if it can
	// authenticate, or has an email set, or has a non-invalid token.
	if ( $this->mEmail || $this->mToken !== self::INVALID_TOKEN ||
		AuthManager::singleton()->userCanAuthenticate( $this->mName )
	) {
		return false;
	}
	return true;
}

this is how User::newSystemUser currently checks if a real user already exists. Would this work?

DannyS712 added a comment.Nov 28 2019, 7:31 AM

@Daimona is this still needed, given User::isSystemUser introduced in T237356?

Daimona added a comment.Nov 28 2019, 3:02 PM
In T212720#5699102, @DannyS712 wrote:

@Daimona is this still needed, given User::isSystemUser introduced in T237356?

Hm, I think User::isSystemUser is enough! As long it consistently identifies all and only the system users, it should be good.

DannyS712 added a comment.Dec 3 2019, 12:39 AM
In T212720#5700138, @Daimona wrote:
In T212720#5699102, @DannyS712 wrote:

@Daimona is this still needed, given User::isSystemUser introduced in T237356?

Hm, I think User::isSystemUser is enough! As long it consistently identifies all and only the system users, it should be good.

Okay. Once T239526: Note that a user is a system user on Special:Userrights is deployed I'll take a look at some system users to make sure that the note shows up. If it does, I think we can call it good

DannyS712 closed this task as Resolved.Dec 15 2019, 11:20 PM
DannyS712 claimed this task.
DannyS712 removed a project: Patch-For-Review.

Claiming per discussion that the separate group is unneeded in light of User::isSystemUser, which works
Verified with all of the system users I could think of, and they are all properly identified as a system user on Special:Userrights
https://en.wikipedia.org/wiki/Special:UserRights/MediaWiki_default
https://en.wikipedia.org/wiki/Special:UserRights/Maintenance_script
https://meta.wikimedia.org/wiki/Special:UserRights/Abuse_filter
https://www.mediawiki.org/wiki/Special:UserRights/FuzzyBot
https://en.wikipedia.org/wiki/Special:UserRights/MediaWiki_message_delivery
https://en.wikinews.org/wiki/Special:UserRights/Babel_AutoCreate
https://www.mediawiki.org/wiki/Special:UserRights/Flow_talk_page_manager

Restricted Application added a project: User-DannyS712. · View Herald TranscriptDec 15 2019, 11:20 PM
DannyS712 moved this task from Unsorted to Otherwise closed on the User-DannyS712 board.Dec 23 2019, 1:19 AM
Meno25 unsubscribed.Feb 22 2021, 8:21 PM
gerritbot added a comment.Mar 19 2022, 1:01 PM

Change 481601 abandoned by Daimona Eaytoy:

[mediawiki/core@master] Add a new user group exclusive to system users

Reason:

https://gerrit.wikimedia.org/r/481601

MER-C mentioned this in T304242: Expose User::isSystemUser in the Action API.Mar 20 2022, 7:46 PM
Tgr mentioned this in T334083: Problem with auto-creation of LDAP user in the wiki in case of the first login.Apr 9 2023, 5:59 PM
Tgr mentioned this in T333223: Adding user_is_temp to the user table.Apr 28 2023, 3:51 PM
Tgr changed the task status from Resolved to Declined.Mon, Jun 24, 11:37 AM

Adjusting status to more accurately reflect the outcome.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits