Page MenuHomePhabricator
Create Task
Maniphest T213003

Autoconfirmed rights set by extensions are out of sync with confirmed
Closed, ResolvedPublic5 Estimated Story Points
Actions

Description

On enwiki and testwiki additional restrictions for creating pages in (main) namespace were added somewhat recently (see also T204016). This access was added to the site configuration for "autoconfirmed" but not the "confirmed" usergroups. The primary purpose of the "confirmed" usergroup is to allow for manually granting access that autoconfirmed has, so this appears to be an oversight.

Short hold for comments is open at: https://en.wikipedia.org/wiki/Wikipedia_talk:Requests_for_permissions#%22confirmed%22_users_can_no_longer_create_articles

Details

SubjectRepoBranchLines +/-
Set confirmed permissions after extensions are loadedoperations/mediawiki-configmaster+8 -2
Customize query in gerrit

Related Objects

Event Timeline

Xaosflux created this task.Jan 5 2019, 3:45 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 5 2019, 3:45 PM
Richard_Nevell awarded a token.Jan 5 2019, 4:54 PM
Richard_Nevell subscribed.
Galobtter subscribed.Jan 5 2019, 5:57 PM
Andrew_Davidson subscribed.Jan 5 2019, 6:56 PM
Amorymeltzer subscribed.Jan 5 2019, 7:26 PM
JJMC89 moved this task from Unsorted to Single wikis on the Community-consensus-needed board.Jan 5 2019, 7:27 PM
JJMC89 subscribed.
John_Cline subscribed.Jan 5 2019, 7:58 PM
Xaosflux added a comment.Jan 5 2019, 8:54 PM

Testing notes (may need another task) - users without createpagemainns ARE able to create these pages if they initialize a page in another namespace, then use the MOVE process - this seems like it should be a security violation.

JJMC89 mentioned this in T213010: Moves circumvent the requirement to have createpagemainns.Jan 5 2019, 8:59 PM
Kizule moved this task from Backlog to Analysis / under discussion on the Wikimedia-Site-requests board.Jan 7 2019, 8:04 AM
Xaosflux removed a project: Community-consensus-needed.Jan 7 2019, 2:47 PM

On-wiki discussion points to this just being an oversight in the creation (https://en.wikipedia.org/w/index.php?title=Wikipedia_talk:Requests_for_permissions&oldid=877253922#%22confirmed%22_users_can_no_longer_create_articles) please proceed.

Xaosflux added a comment.Jan 15 2019, 8:46 PM

@MaxSem do you have any input on this, especially related to T204016?

MaxSem added a project: Community-Tech-Sprint.Jan 15 2019, 11:28 PM
Restricted Application added a project: Community-Tech. · View Herald TranscriptJan 15 2019, 11:28 PM
MaxSem moved this task from New & TBD Tickets to Needs Discussion on the Community-Tech board.Jan 16 2019, 12:04 AM
MBinder_WMF removed a project: Community-Tech-Sprint.Jan 16 2019, 12:15 AM
MBinder_WMF added subscribers: jmatazzoni, Niharika, MBinder_WMF.

Taking Community-Tech-Sprint off until this has been reviewed by @Niharika and @jmatazzoni and/or estimated. :)

Niharika triaged this task as Medium priority.Jan 16 2019, 1:09 AM

Triaging this as Normal priority. We can estimate it in next week's meeting unless the engineers get to it first in the Engineering meeting.

Wugapodes subscribed.Jan 21 2019, 3:24 AM
Niharika set the point value for this task to 5.Jan 23 2019, 12:50 AM
Niharika moved this task from Needs Discussion to Up Next (June 3-21) on the Community-Tech board.
Niharika added a project: Community-Tech-Sprint.Jan 23 2019, 1:08 AM
Niharika moved this task from Up Next (June 3-21) to In Sprint 🏃‍♀️🏃‍♂️ on the Community-Tech board.
MaxSem claimed this task.Jan 24 2019, 2:35 AM
MaxSem moved this task from Ready to In Development on the Community-Tech-Sprint board.
MaxSem added a project: TimedMediaHandler.Jan 24 2019, 11:18 PM

Oops, another permission set by extension directly - transcode-reset - is also affected.

MaxSem added a comment.Jan 24 2019, 11:30 PM

The autopsy results:

  1. Defaults are getting set in DefaultSettings.php
  2. We customize that per-wiki in InitialiseSettings.php
  3. In CommonSettings.php we do $wgGroupPermissions['confirmed'] = $wgGroupPermissions['autoconfirmed']; to ensure that confirmed users have the same rights as autoconfirmed.
  4. We load extensions in CommonSettings.php, some of which - like ArticleCreationWorkflow and TimedMediaHandler - assign new privileges to autoconfirmed users.
  5. Boom! We're out of sync.
MaxSem renamed this task from add createpagemainns to the confirmed usergroup on testwiki and enwiki to Autoconfirmed rights set by extensions are out of sync with confirmed.Jan 24 2019, 11:38 PM
gerritbot subscribed.Jan 24 2019, 11:46 PM

Change 486405 had a related patch set uploaded (by MaxSem; owner: MaxSem):
[operations/mediawiki-config@master] Set confirmed permissions after extensions are loaded

https://gerrit.wikimedia.org/r/486405

gerritbot added a project: Patch-For-Review.Jan 24 2019, 11:46 PM
MaxSem moved this task from In Development to Needs Review/Feedback on the Community-Tech-Sprint board.Jan 24 2019, 11:47 PM

Needs review.

MaxSem mentioned this in T214655: Some wikis set confirmed permissions that later get overwritten with autoconfirmed.Jan 24 2019, 11:58 PM
Xaosflux added a comment.Jan 25 2019, 12:02 AM

In general, it's fine to add TimedMediaHandler.

MBinder_WMF unsubscribed.Jan 25 2019, 10:27 PM
gerritbot added a comment.Feb 5 2019, 12:20 AM

Change 486405 merged by jenkins-bot:
[operations/mediawiki-config@master] Set confirmed permissions after extensions are loaded

https://gerrit.wikimedia.org/r/486405

MaxSem closed this task as Resolved.Feb 5 2019, 12:30 AM
MaxSem moved this task from Needs Review/Feedback to Q3 2018-19 on the Community-Tech-Sprint board.
Urbanecm mentioned this in T275333: Special:ListUsers/confirmed doesn't load the list of confirmed users for some users at ptwiki.Feb 22 2021, 12:40 AM
Maintenance_bot removed a project: Patch-For-Review.Feb 22 2021, 1:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits