Page MenuHomePhabricator
Create Task
Maniphest T248282

Never try to grant `oathauth-enable` to `*`
Closed, ResolvedPublic
Actions

Description

It doesn't make sense to try and grant anonymous users the ability to activate 2fa, and it leads to Manage Two-factor authentication being listed for anons at, eg, https://foundation.wikimedia.org/wiki/Special:SpecialPages

Instead, it should be granted to users, and revoked from them, as needed

This requires

  • Preemptively revoking from users, in addition to revoking from *, in WMF config
  • Updating extension.json
  • Removing the revocation from * in WMF config

Hence also tagging as a site request

Details

ProjectBranchLines +/-Subject
operations/mediawiki-configmaster+0 -1Don't try to grant `oathauth-enable` to `*` (part 2)
mediawiki/extensions/OATHAuthmaster+3 -1Don't try to grant `oathauth-enable` to `*`
operations/mediawiki-configmaster+1 -0Don't try to grant `oathauth-enable` to `*` (part 1)
Customize query in gerrit

Related Objects

Event Timeline

DannyS712 created this task.Mar 23 2020, 2:31 AM
Restricted Application added a project: User-DannyS712. · View Herald TranscriptMar 23 2020, 2:31 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Mar 23 2020, 2:32 AM

Change 582613 had a related patch set uploaded (by DannyS712; owner: DannyS712):
[operations/mediawiki-config@master] Don't try to grant oathauth-enable to * (part 1)

https://gerrit.wikimedia.org/r/582613

gerritbot added a project: Patch-For-Review.Mar 23 2020, 2:32 AM

Change 582614 had a related patch set uploaded (by DannyS712; owner: DannyS712):
[mediawiki/extensions/OATHAuth@master] Don't try to grant oathauth-enable to *

https://gerrit.wikimedia.org/r/582614

gerritbot added a comment.Mar 23 2020, 2:34 AM

Change 582615 had a related patch set uploaded (by DannyS712; owner: DannyS712):
[operations/mediawiki-config@master] Don't try to grant oathauth-enable to * (part 2)

https://gerrit.wikimedia.org/r/582615

DannyS712 moved this task from Unsorted to Awaiting review and deployment on the User-DannyS712 board.Mar 23 2020, 2:35 AM
DannyS712 moved this task from Backlog to In Progress on the MediaWiki-extensions-OATHAuth board.
DannyS712 moved this task from Backlog to To deploy on the Wikimedia-Site-requests board.
DannyS712 added a comment.Mar 23 2020, 2:37 AM

To be on the safe side, and not accidentally grant all users the ability to enable 2FA, the three patches need to be merged separately

  • Update config, part 1
  • Following sync, then extension update can proceed
  • Following deployd of new extension version across all groups, then config update part 2 can occur
RhinosF1 added a subscriber: RhinosF1.Mar 23 2020, 6:28 AM
DannyS712 added a comment.Mar 23 2020, 5:31 PM

Config update part 1 scheduled for SWAT: Monday, March 23 18:00–19:00 UTC (Morning SWAT)

gerritbot added a comment.Mar 23 2020, 6:20 PM

Change 582613 merged by jenkins-bot:
[operations/mediawiki-config@master] Don't try to grant oathauth-enable to * (part 1)

https://gerrit.wikimedia.org/r/582613

Stashbot added a comment.Mar 23 2020, 6:24 PM

Mentioned in SAL (#wikimedia-operations) [2020-03-23T18:24:55Z] <urbanecm@deploy1001> Synchronized wmf-config/CommonSettings.php: SWAT: 212114e: Dont try to grant oathauth-enable to * (T248282) (duration: 00m 59s)

gerritbot added a comment.Mar 23 2020, 9:43 PM

Change 582614 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@master] Don't try to grant oathauth-enable to *

https://gerrit.wikimedia.org/r/582614

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.25; 2020-03-24).Mar 23 2020, 10:00 PM
DannyS712 added a comment.Mar 31 2020, 6:03 PM
This comment was removed by DannyS712.
gerritbot added a comment.Apr 2 2020, 11:03 PM

Change 582615 merged by jenkins-bot:
[operations/mediawiki-config@master] Don't try to grant oathauth-enable to * (part 2)

https://gerrit.wikimedia.org/r/582615

Stashbot added a comment.Apr 2 2020, 11:09 PM

Mentioned in SAL (#wikimedia-operations) [2020-04-02T23:09:01Z] <catrope@deploy1001> Synchronized wmf-config/CommonSettings.php: Don't try to grant 'oathauth-enable' to '*' (part 2) (T248282) (duration: 00m 58s)

Maintenance_bot removed a project: Patch-For-Review.Apr 2 2020, 11:10 PM
DannyS712 closed this task as Resolved.Apr 2 2020, 11:14 PM
DannyS712 moved this task from Awaiting review and deployment to Merged on the User-DannyS712 board.May 27 2020, 8:32 AM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL