Page MenuHomePhabricator

Assign oathauth-verify-user to stewards at metawiki
Closed, ResolvedPublic

Description

Since T209749, holders of oathauth-verify-user can view if user is enrolled in 2FA. This should be assigned to the stewards at meta, so they can query for 2FA status before granting sensitive rights.

Event Timeline

Change 593286 had a related patch set uploaded (by Urbanecm; owner: Urbanecm):
[operations/mediawiki-config@master] Assign oathauth-verify-user to stewards

https://gerrit.wikimedia.org/r/593286

Urbanecm added a subscriber: jrbs.

I talked to @jrbs about this, waiting for his comment before moving further.

Just to confirm, what is the output of Special:VerifyOATHForUser? Is it a binary yes/no, or does it provide other information?

Just to confirm, what is the output of Special:VerifyOATHForUser? Is it a binary yes/no, or does it provide other information?

To summarize, a binary information. For your convinience, here are screenshots of that form:

Query form:

image.png (586×1 px, 116 KB)

Yes:

image.png (597×1 px, 116 KB)

No:

image.png (541×1 px, 114 KB)

The log looks like this:

21:26, 29 April 2020 Martin Urbanec talk contribs block checked if User:Martin Urbanec had two-factor authentication enabled (test)

and is available only to those who can view 2FA enrollment status (as-of today, no one, once this gets resolved, the stewards).

DannyS712 added a subscriber: DannyS712.

Just to confirm, what is the output of Special:VerifyOATHForUser? Is it a binary yes/no, or does it provide other information?

To summarize, a binary information. For your convinience, here are screenshots of that form:

Query form:

image.png (586×1 px, 116 KB)

Yes:

image.png (597×1 px, 116 KB)

No:

image.png (541×1 px, 114 KB)

The log looks like this:

21:26, 29 April 2020 Martin Urbanec talk contribs block checked if User:Martin Urbanec had two-factor authentication enabled (test)

and is available only to those who can view 2FA enrollment status (as-of today, no one, once this gets resolved, the stewards).

Staff should be able to get access via the global group?

To clarify, this ticket is about the stewards only. Traditionally, the stewards don't change staff's power without direct request to do so made by the Foundation. So, if and how staff will have this depends on further discussion and is out of scope. I hope this makes sense.

Just spoke with Jan and the privacy team in Legal, and both are comfortable with proceeding in applying this right to the Stewards group.

I'm not sure about the staff thing just yet. I don't think it is necessary since those who need this data can access it through the databases.

Change 593286 merged by jenkins-bot:
[operations/mediawiki-config@master] Assign oathauth-verify-user to stewards

https://gerrit.wikimedia.org/r/593286

Mentioned in SAL (#wikimedia-operations) [2020-04-30T23:05:41Z] <urbanecm@deploy1001> Synchronized wmf-config/InitialiseSettings.php: SWAT: cf5f7ff: Assign oathauth-verify-user to stewards (T251447) (duration: 01m 05s)

Urbanecm claimed this task.

Done. This will be automatically available to stews once train gets to Meta.

This is not related to the codebase, I merely changed WMF-specific config here.