Page MenuHomePhabricator
Create Task
Maniphest T247185

Turn off direct account creations at Wikimania, at least for periods of time
Closed, ResolvedPublic
Actions

Description

Wikimaniawiki is a wiki for the Wikimania conferences where people generally arrive via links from the WMF family of wikis (announcements, wikilinks, etc.) The wiki generally only has the populace editing during conference time, much of the other time it is the woke crowd tidying up post-, or creating pre-conference.

Wikimaniawiki currently has direct account creations that appear to be just from spambots

In a brief conversation with @Reedy he mentioned that we could explore what may be possible and that included

  • might need to change a few messages and similar to point people to register elsewhere
  • an audit trail/trackability
  • the ability to re-activate the create account function in the lead-up and during a conference

I wondered about the ability to even just redirect the create account to meta, and then return, but that was my just wondering.

Details

SubjectRepoBranchLines +/-
Add wmgDisableAccountCreationoperations/mediawiki-configmaster+13 -1
Customize query in gerrit

Related Objects

Event Timeline

Billinghurst created this task.Mar 8 2020, 4:52 AM
Restricted Application added subscribers: RhinosF1, Aklapper. · View Herald TranscriptMar 8 2020, 4:52 AM
DannyS712 subscribed.Mar 8 2020, 7:27 AM
Peachey88 subscribed.Mar 8 2020, 8:41 AM
Reedy added a comment.Mar 8 2020, 4:19 PM

So I was looking how we "disable" registration by the public on private wikis... ie https://office.wikimedia.org/wiki/Special:CreateAccount

It's a mixture of wgWhitelistRead only including the main page and login/logout, and groupOverrides2 setting ['*']['createaccount'] = false

Similar for fishbowl (at least in part), and also closed (using groupOverride2

Obviously the user right for this is createaccount... So a guarded set of something like this would be enough?

$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['user']['createaccount'] = true;

Though, we probably don't even need to necessarily re-allow 'user' to 'createaccount'... No harm in doing so though

We could do it with a dblist, but that seems unnecessary overhead, and the number of wikis using this "feature" would be precisely one, so probably not worth it.

A wmgDisableAnonAccountCreation or wmgDisableAccountCreation seems to be the way forward IMHO, allowing easy turning on/off per wiki, and allows adding of other wikis to the list that might fall into a similar criteria.

Reedy added a comment.Mar 8 2020, 4:53 PM

Looking at least one of the users... They passed captcha to create account (via Special:CreateAccount)... But then seemingly couldn't pass it to add spam links to their user page...

And in numerous cases they're being created and used hours later...

Similar for other users I've had a look at

Urbanecm subscribed.Mar 8 2020, 4:53 PM

I would grant autocreateaccount to * if we revoke createaccount, so users can still login with accounts from other wikis.

gerritbot added a comment.Mar 8 2020, 4:56 PM

Change 578047 had a related patch set uploaded (by Reedy; owner: Reedy):
[operations/mediawiki-config@master] Add wmgDisableAccountCreation

https://gerrit.wikimedia.org/r/578047

gerritbot added a project: Patch-For-Review.Mar 8 2020, 4:56 PM
Krenair subscribed.Mar 8 2020, 5:01 PM
Reedy added a comment.Mar 8 2020, 5:07 PM
In T247185#5952178, @Urbanecm wrote:

I would grant autocreateaccount to * if we revoke createaccount, so users can still login with accounts from other wikis.

Mmm. Indeed. Right creep :)

gerritbot added a comment.Mar 8 2020, 5:14 PM

Change 578047 merged by jenkins-bot:
[operations/mediawiki-config@master] Add wmgDisableAccountCreation

https://gerrit.wikimedia.org/r/578047

Reedy triaged this task as Medium priority.Mar 8 2020, 5:19 PM

TBD if we want to allow 'user' to create account. As per https://wikimania.wikimedia.org/wiki/Special:ListGroupRights admins can still create other accounts

Some followup work probably to be done as per the task description

Maintenance_bot removed a project: Patch-For-Review.Mar 8 2020, 6:10 PM
Quiddity subscribed.Mar 9 2020, 7:13 PM
Billinghurst added a comment.Mar 11 2020, 10:09 AM

I have created a simple message within`Mediawiki:Loginprompt` that has a link to meta's create account page.

No accounts created and the abuselog ... bliss

Billinghurst mentioned this in T250348: Turn off direct account creations at Testwikidata, at least for periods of time.Apr 16 2020, 7:00 AM
Urbanecm closed this task as Resolved.Apr 16 2020, 8:00 AM
Urbanecm assigned this task to Reedy.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL