Page MenuHomePhabricator

SO878 Step 4: Bind permissions to 2FA
Open, NormalPublic

Description

Objective: Certain permissions shall only be granted when the user logs in using 2FA
The following functions are the result of this project phase
The implementation of this functionality must be assessed and coordinated with MediaWiki
architects. We propose one of the following mechanisms:

  • Users are added to an implicit group with additional rights when using 2FA

or

  • Users are prevented from executing a list of rights when not using 2FA

Event Timeline

Osnard created this task.Mar 13 2019, 2:10 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 13 2019, 2:10 PM
Osnard added a subscriber: Bawolff.Thu, May 9, 9:15 AM

Meeting minutes from 2019-05-08:

  • Certain permissions should be suppressed if user is not 2FA
  • @Bawolff suggests usage of new UserGetRightsRemove hook.
    • We should check if a precise error message in case a user looses the permission due to not having 2FA is possible. If not, it's no show stopper.
  • List of permissions to supress should be defined by a configuration variable
    • Permission editinterface should be default