Page MenuHomePhabricator

Turn off direct account creations at Wikimania, at least for periods of time
Closed, ResolvedPublic


Wikimaniawiki is a wiki for the Wikimania conferences where people generally arrive via links from the WMF family of wikis (announcements, wikilinks, etc.) The wiki generally only has the populace editing during conference time, much of the other time it is the woke crowd tidying up post-, or creating pre-conference.

Wikimaniawiki currently has direct account creations that appear to be just from spambots

In a brief conversation with @Reedy he mentioned that we could explore what may be possible and that included

  • might need to change a few messages and similar to point people to register elsewhere
  • an audit trail/trackability
  • the ability to re-activate the create account function in the lead-up and during a conference

I wondered about the ability to even just redirect the create account to meta, and then return, but that was my just wondering.

Event Timeline

So I was looking how we "disable" registration by the public on private wikis... ie

It's a mixture of wgWhitelistRead only including the main page and login/logout, and groupOverrides2 setting ['*']['createaccount'] = false

Similar for fishbowl (at least in part), and also closed (using groupOverride2

Obviously the user right for this is createaccount... So a guarded set of something like this would be enough?

$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['user']['createaccount'] = true;

Though, we probably don't even need to necessarily re-allow 'user' to 'createaccount'... No harm in doing so though

We could do it with a dblist, but that seems unnecessary overhead, and the number of wikis using this "feature" would be precisely one, so probably not worth it.

A wmgDisableAnonAccountCreation or wmgDisableAccountCreation seems to be the way forward IMHO, allowing easy turning on/off per wiki, and allows adding of other wikis to the list that might fall into a similar criteria.

Looking at least one of the users... They passed captcha to create account (via Special:CreateAccount)... But then seemingly couldn't pass it to add spam links to their user page...

And in numerous cases they're being created and used hours later...

Similar for other users I've had a look at

I would grant autocreateaccount to * if we revoke createaccount, so users can still login with accounts from other wikis.

Change 578047 had a related patch set uploaded (by Reedy; owner: Reedy):
[operations/mediawiki-config@master] Add wmgDisableAccountCreation

I would grant autocreateaccount to * if we revoke createaccount, so users can still login with accounts from other wikis.

Mmm. Indeed. Right creep :)

Change 578047 merged by jenkins-bot:
[operations/mediawiki-config@master] Add wmgDisableAccountCreation

Reedy triaged this task as Medium priority.Mar 8 2020, 5:19 PM

TBD if we want to allow 'user' to create account. As per admins can still create other accounts

Some followup work probably to be done as per the task description

I have created a simple message within`Mediawiki:Loginprompt` that has a link to meta's create account page.

No accounts created and the abuselog ... bliss

Urbanecm assigned this task to Reedy.