Page MenuHomePhabricator

Never try to grant `oathauth-enable` to `*`
Closed, ResolvedPublic

Description

It doesn't make sense to try and grant anonymous users the ability to activate 2fa, and it leads to Manage Two-factor authentication being listed for anons at, eg, https://foundation.wikimedia.org/wiki/Special:SpecialPages

Instead, it should be granted to users, and revoked from them, as needed

This requires

  • Preemptively revoking from users, in addition to revoking from *, in WMF config
  • Updating extension.json
  • Removing the revocation from * in WMF config

Hence also tagging as a site request

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Change 582613 had a related patch set uploaded (by DannyS712; owner: DannyS712):
[operations/mediawiki-config@master] Don't try to grant oathauth-enable to * (part 1)

https://gerrit.wikimedia.org/r/582613

Change 582614 had a related patch set uploaded (by DannyS712; owner: DannyS712):
[mediawiki/extensions/OATHAuth@master] Don't try to grant oathauth-enable to *

https://gerrit.wikimedia.org/r/582614

Change 582615 had a related patch set uploaded (by DannyS712; owner: DannyS712):
[operations/mediawiki-config@master] Don't try to grant oathauth-enable to * (part 2)

https://gerrit.wikimedia.org/r/582615

To be on the safe side, and not accidentally grant all users the ability to enable 2FA, the three patches need to be merged separately

  • Update config, part 1
  • Following sync, then extension update can proceed
  • Following deployd of new extension version across all groups, then config update part 2 can occur

Config update part 1 scheduled for SWAT: Monday, March 23 18:00–19:00 UTC (Morning SWAT)

Change 582613 merged by jenkins-bot:
[operations/mediawiki-config@master] Don't try to grant oathauth-enable to * (part 1)

https://gerrit.wikimedia.org/r/582613

Mentioned in SAL (#wikimedia-operations) [2020-03-23T18:24:55Z] <urbanecm@deploy1001> Synchronized wmf-config/CommonSettings.php: SWAT: 212114e: Dont try to grant oathauth-enable to * (T248282) (duration: 00m 59s)

Change 582614 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@master] Don't try to grant oathauth-enable to *

https://gerrit.wikimedia.org/r/582614

This comment was removed by DannyS712.

Change 582615 merged by jenkins-bot:
[operations/mediawiki-config@master] Don't try to grant oathauth-enable to * (part 2)

https://gerrit.wikimedia.org/r/582615

Mentioned in SAL (#wikimedia-operations) [2020-04-02T23:09:01Z] <catrope@deploy1001> Synchronized wmf-config/CommonSettings.php: Don't try to grant 'oathauth-enable' to '*' (part 2) (T248282) (duration: 00m 58s)