Page MenuHomePhabricator

Rethink autoconfirmed requirement for OAuth
Closed, ResolvedPublic

Description

Meta now requires 5 edits for autoconfirmed status (since T211188) and OAuth requires autoconfirmed to create consumers (to propose them for review, post gerrit 316302).

On one hand, the OAuth admin interface is not well equipped for handling spam, so some minimal protection agains abuse makes sense.
On the other, requiring people to make meta edits just to be able to propose a consumer is a bit ridiculous.

Instead of autoconfirmed, it should probably have its own check, based on cross-wiki editcount, not meta. Or maybe for non-autoconfirmed users there should be a captcha.

Event Timeline

Tgr created this task.Jan 14 2019, 9:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 14 2019, 9:29 PM
bd808 added a subscriber: bd808.Jan 14 2019, 9:31 PM
Tgr added a comment.Feb 13 2020, 4:54 AM

This is a constant pain point for tool developers. Given that OAuth is basically unmaintained today so complex solutions are unlikely to happen, let's just go the easy way and get rid of the requirement. If it causes problems (consumer proposal spam, specifically; I can't think of any other problem it could cause) we can undo.

Change 571860 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/mediawiki-config@master] Allow non-autoconfirmed users to propose OAuth apps

https://gerrit.wikimedia.org/r/571860

Tgr added a comment.Feb 13 2020, 5:09 AM

Will deploy this in a week if there are no objections.

This is most frustrating for owner-only consumers for bots, since there's no human review time to waste and a newly-created bot is unlikely to be 4 days old.

Change 571860 merged by jenkins-bot:
[operations/mediawiki-config@master] Allow non-autoconfirmed users to propose OAuth apps

https://gerrit.wikimedia.org/r/571860

Mentioned in SAL (#wikimedia-operations) [2020-02-20T00:22:15Z] <tgr@deploy1001> Synchronized wmf-config/InitialiseSettings.php: SWAT: [[gerrit:571860|Allow non-autoconfirmed users to propose OAuth apps (T213760)]] (duration: 01m 04s)

Tgr closed this task as Resolved.Feb 20 2020, 12:25 AM
Tgr claimed this task.

Fixed for Wikimedia (we don't require autoconfirmed anymore). The extension defaults don't involve autoconfirmed so I think we can call this fixed (unless there's vandalism / spam in which case we'll have to reopen and think of a different approach).