Page MenuHomePhabricator
Create Task
Maniphest T213760

Rethink autoconfirmed requirement for OAuth
Closed, ResolvedPublic
Actions

Description

Meta now requires 5 edits for autoconfirmed status (since T211188) and OAuth requires autoconfirmed to create consumers (to propose them for review, post gerrit 316302).

On one hand, the OAuth admin interface is not well equipped for handling spam, so some minimal protection agains abuse makes sense.
On the other, requiring people to make meta edits just to be able to propose a consumer is a bit ridiculous.

Instead of autoconfirmed, it should probably have its own check, based on cross-wiki editcount, not meta. Or maybe for non-autoconfirmed users there should be a captcha.

Details

SubjectRepoBranchLines +/-
Allow non-autoconfirmed users to propose OAuth appsoperations/mediawiki-configmaster+2 -2
Customize query in gerrit

Related Objects

Event Timeline

Tgr created this task.Jan 14 2019, 9:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 14 2019, 9:29 PM
Tgr added a comment.Jan 14 2019, 9:30 PM

See also T142317: Creating an owner-only consumer should not require an autoconfirmed account.

bd808 subscribed.Jan 14 2019, 9:31 PM
Krenair subscribed.Feb 12 2020, 11:54 PM
Tgr added a comment.Feb 13 2020, 4:54 AM

This is a constant pain point for tool developers. Given that OAuth is basically unmaintained today so complex solutions are unlikely to happen, let's just go the easy way and get rid of the requirement. If it causes problems (consumer proposal spam, specifically; I can't think of any other problem it could cause) we can undo.

gerritbot added a comment.Feb 13 2020, 5:08 AM

Change 571860 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/mediawiki-config@master] Allow non-autoconfirmed users to propose OAuth apps

https://gerrit.wikimedia.org/r/571860

gerritbot added a project: Patch-For-Review.Feb 13 2020, 5:08 AM
Tgr added a comment.Feb 13 2020, 5:09 AM

Will deploy this in a week if there are no objections.

AntiCompositeNumber subscribed.Feb 13 2020, 5:10 AM

This is most frustrating for owner-only consumers for bots, since there's no human review time to waste and a newly-created bot is unlikely to be 4 days old.

DSquirrelGM subscribed.Feb 17 2020, 7:42 AM
taavi subscribed.Feb 17 2020, 5:17 PM
gerritbot added a comment.Feb 20 2020, 12:16 AM

Change 571860 merged by jenkins-bot:
[operations/mediawiki-config@master] Allow non-autoconfirmed users to propose OAuth apps

https://gerrit.wikimedia.org/r/571860

Stashbot added a comment.Feb 20 2020, 12:22 AM

Mentioned in SAL (#wikimedia-operations) [2020-02-20T00:22:15Z] <tgr@deploy1001> Synchronized wmf-config/InitialiseSettings.php: SWAT: [[gerrit:571860|Allow non-autoconfirmed users to propose OAuth apps (T213760)]] (duration: 01m 04s)

Tgr closed this task as Resolved.Feb 20 2020, 12:25 AM
Tgr claimed this task.

Fixed for Wikimedia (we don't require autoconfirmed anymore). The extension defaults don't involve autoconfirmed so I think we can call this fixed (unless there's vandalism / spam in which case we'll have to reopen and think of a different approach).

Tgr mentioned this in T142317: Creating an owner-only consumer should not require an autoconfirmed account.Feb 20 2020, 12:25 AM
Maintenance_bot removed a project: Patch-For-Review.Feb 20 2020, 1:10 AM
Reedy mentioned this in T249781: Define "Create app" flow.Apr 9 2020, 1:57 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL