Page MenuHomePhabricator
Create Task
Maniphest T260222

Can't change user groups if the user has an '@' in their username
Closed, ResolvedPublic
Actions

Description

Since 2007[1], Special:UserRights has relied on a delimiter to separate the username input into a username and a wiki, allowing for interwiki user rights management. This delimiter was hard-coded as @ until 2009[2], when it was made configurable via $wgUserrightsInterwikiDelimiter.

For usernames that contain the delimiter, Special:UserRights cannot be used normally. At the same time the delimiter was made configurable, $wgInvalidUsernameCharacters was added to prevent registration of new accounts with specific characters, including (by default) @, the default delimiter.

However, accounts that were created before 2009 (or on non-WMF wikis where the configuration was changed) still cannot be modified normally via Special:GlobalRights. Example:

https://en.wikipedia.org/wiki/Special:UserRights/Rms125a@hotmail.com

It is possible to use the user id[3], which can be retrieved via the api[4], but ideally it would be possible to change the user groups of such users without needing to look up their user ids

[1] https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/c3ef834c0400b18ecc75e9ff9a98ec2e240b34df
[2] https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/c75197371c81cfe35b0c29e3cd8ea3219e3a6bd1
[3] In this case, https://en.wikipedia.org/w/index.php?title=Special%3AUserRights&user=%23376014
[4] In this case, https://en.wikipedia.org/w/api.php?action=query&list=users&ususers=Rms125a@hotmail.com

Details

SubjectRepoBranchLines +/-
Link to working Special:UserRights for users with '@' in their namemediawiki/coremaster+10 -2
Customize query in gerrit

Event Timeline

ST47 created this task.Aug 12 2020, 6:21 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 12 2020, 6:21 AM
JJMC89 moved this task from Backlog to User rights on the MediaWiki-User-management board.Aug 12 2020, 6:22 AM
DannyS712 removed a project: MediaWiki-extensions-CentralAuth.Aug 12 2020, 6:27 AM
DannyS712 subscribed.

@ST47 you can use https://en.wikipedia.org/w/index.php?title=Special%3AUserRights&user=%23376014

Not caused by CentralAuth, but rather $wgUserrightsInterwikiDelimiter being @ by default. That config option is documented with

It is recommended that you have this delimiter in $wgInvalidUsernameCharacters above, or you will not be able to modify the user rights of those users via Special:UserRights

but the user in question has an account predating when @ was added to the invalid username characters

ThesenatorO5-2 triaged this task as Unbreak Now! priority.EditedAug 12 2020, 6:27 AM
ThesenatorO5-2 subscribed.

This is urgent since there are software restrictions now which prevent the @ inside a username.

ThesenatorO5-2 added a comment.Aug 12 2020, 6:30 AM

Or you can contact a sysadmin to set $wgUserrightsInterwikiDelimiter to some nonsense, like APL glyphs.

Legoktm lowered the priority of this task from Unbreak Now! to Needs Triage.Aug 12 2020, 6:30 AM
Legoktm subscribed.
In T260222#6378728, @ThesenatorO5-2 wrote:

This is urgent since there are software restrictions now which prevent the @ inside a username. This bug can be fixed by adding a Special:XWikiUserRights. Rasing priority.

This is not unbreak now. See https://www.mediawiki.org/wiki/Phabricator/Project_management#Setting_task_priorities

ST47 added a comment.Aug 12 2020, 6:35 AM

Awesome, thanks @DannyS712 . I agree that it isn't urgent because the user in question is indef blocked, and as there is a workaround. I do not think a sysadmin should set $wgUserrightsInterwikiDelimiter to any nonsense.

Seems like there are two options here:

  • Have the sidebar / Contribs page / etc detect when the username contains $wgUserrightsInterwikiDelimiter, and generate a link using the user ID instead of the username
  • Have the special page check try using the provided username (including the part after the @) either first, or, as a fallback if the requesting user does not have permission to change user groups on different wikis
ThesenatorO5-2 triaged this task as High priority.Aug 12 2020, 6:35 AM
ThesenatorO5-2 added a subscriber: aaron.

I have notified the sysadmins. Updating priority.

ThesenatorO5-2 assigned this task to aaron.Aug 12 2020, 6:37 AM

I am assigning this task to a sysadmin.

Jony subscribed.Aug 12 2020, 6:38 AM
JJMC89 removed aaron as the assignee of this task.Aug 12 2020, 6:39 AM
JJMC89 raised the priority of this task from High to Needs Triage.
JJMC89 removed a subscriber: aaron.
Legoktm added a comment.Aug 12 2020, 6:39 AM
In T260222#6378759, @ThesenatorO5-2 wrote:

I have notified the sysadmins. Updating priority.

You've been warned multiple times not to mess with priority inappropriately and continued to do so, so I've disabled your account for now. If you'd like it re-enabled you can contact me or another Phabricator admin on-wiki.

DannyS712 updated the task description. (Show Details)Aug 12 2020, 6:47 AM
DannyS712 updated the task description. (Show Details)
Base subscribed.Aug 12 2020, 7:16 AM

So TIL that it is possible to use the #123 syntax for Special:UserRights (I would otherwise work around this purely through API), that is nice.

But as to the ticket itself, I guess what is a better idea to do is to find all the (not locked?) accounts with such names and have them renamed?

Aklapper added a comment.Aug 12 2020, 9:38 AM

@ThesenatorO5-2: Please read https://www.mediawiki.org/wiki/Bug_management/Phabricator_etiquette, https://www.mediawiki.org/wiki/How_to_report_a_bug, and https://www.mediawiki.org/wiki/Phabricator/Project_management#Setting_task_priorities and do not set priority or assign random people. Thank you.

gerritbot added a comment.Dec 4 2021, 9:33 AM

Change 743554 had a related patch set uploaded (by Legoktm; author: Legoktm):

[mediawiki/core@master] Link to working Special:UserRights for users with '@' in their name

https://gerrit.wikimedia.org/r/743554

gerritbot added a project: Patch-For-Review.Dec 4 2021, 9:33 AM
Legoktm claimed this task.Dec 4 2021, 9:34 AM
Legoktm triaged this task as Low priority.
gerritbot added a comment.Dec 4 2021, 10:23 AM

Change 743554 merged by jenkins-bot:

[mediawiki/core@master] Link to working Special:UserRights for users with '@' in their name

https://gerrit.wikimedia.org/r/743554

ReleaseTaggerBot added a project: MW-1.38-notes (1.38.0-wmf.12; 2021-12-06).Dec 4 2021, 11:00 AM
taavi closed this task as Resolved.Dec 4 2021, 11:04 AM
Maintenance_bot removed a project: Patch-For-Review.Dec 4 2021, 11:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL