Page MenuHomePhabricator
Create Task
Maniphest T275931

Have new system users be automatically attached to CentralAuth
Open, Needs TriagePublic
Actions

Description

When a MediaWiki farm is set up with some concept of global / central accounts, User::newSystemUser() should integrate with that.

Original task description:

On Wikimedia wikis, where MediaWiki-extensions-CentralAuth is used; the bot accounts used by MassMessage do not even appear as "unnatached" on https://meta.wikimedia.org/wiki/Special:CentralAuth/MediaWiki_message_delivery. This seems to be a bug of some sort.

New MassMessage system users should be automatically attached to CentralAuth upon new wiki creations.

This also allows local projects to get GlobalUserPage descriptions of those system accounts, reducing confusion.

(This was done in T275935: Please manually attach new MassMessage system accounts on Wikimedia wikis for MassMessage but still a problem more generally.)

See also:
T160666: AbuseFilter should use the same account name on all WMF projects

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Attach new MassMessage accounts to the global accountmediawiki/extensions/MassMessagemaster+10 -0
Call LocalUserCreatedHook from User::newSystemUser on creationmediawiki/coremaster+7 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

MarcoAurelio created this task.Feb 26 2021, 11:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 26 2021, 11:01 PM
MarcoAurelio updated the task description. (Show Details)Feb 26 2021, 11:06 PM
MarcoAurelio mentioned this in T275935: Please manually attach new MassMessage system accounts on Wikimedia wikis.Feb 26 2021, 11:09 PM
Legoktm added a parent task: T275935: Please manually attach new MassMessage system accounts on Wikimedia wikis.Feb 26 2021, 11:12 PM
Legoktm added a project: MediaWiki-extensions-CentralAuth.Feb 26 2021, 11:14 PM

https://gerrit.wikimedia.org/g/mediawiki/extensions/MassMessage/+/3ea6d83b7c0732c89801cc084ac9effcd0e0a1f3/includes/MassMessage.php#43

MM just calls User::newSystemUser(). Probably that core function needs a hook for CentralAuth to add it into the right tables.

Bugreporter closed this task as a duplicate of T111686: Attach existing system users to CentralAuth.Feb 27 2021, 12:08 AM
gerritbot added a comment.Jul 31 2021, 11:48 AM

Change 709211 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/MassMessage@master] Attach new MassMessage accounts to the global account

https://gerrit.wikimedia.org/r/709211

gerritbot added a project: Patch-For-Review.Jul 31 2021, 11:48 AM
Zabe subscribed.Jul 31 2021, 11:57 AM
Zabe reopened this task as Open.Jul 31 2021, 12:08 PM

Not realy a duplicate. The other task is about attaching the accounts in wikimedia production, while this one is about making this happen automatically.

gerritbot added a comment.Aug 31 2021, 10:36 PM

Change 715805 had a related patch set uploaded (by Umherirrender; author: Umherirrender):

[mediawiki/core@master] Call LocalUserCreatedHook from User::newSystemUser on creation

https://gerrit.wikimedia.org/r/715805

Legoktm removed Legoktm as the assignee of this task.Dec 23 2021, 6:09 PM
Legoktm subscribed.
Nikerabbit merged a task: T62385: "MediaWiki message delivery" autocreation does not integrate with CentralAuth.Jan 26 2022, 11:07 AM
Nikerabbit moved this task from Backlog to Maintenance on the MassMessage board.
Nikerabbit added subscribers: MZMcBride, Quiddity, wikibugs-l-list.
gerritbot added a comment.Apr 12 2022, 8:13 PM

Change 715805 abandoned by Umherirrender:

[mediawiki/core@master] Call LocalUserCreatedHook from User::newSystemUser on creation

Reason:

May not the best way to fix this

https://gerrit.wikimedia.org/r/715805

gerritbot added a comment.Feb 13 2023, 2:09 AM

Change 709211 abandoned by Zabe:

[mediawiki/extensions/MassMessage@master] Attach new MassMessage accounts to the global account

Reason:

https://gerrit.wikimedia.org/r/709211

Maintenance_bot removed a project: Patch-For-Review.Feb 13 2023, 2:30 AM
Tgr mentioned this in T358985: Admin account created by the installer isn't made global by CentralAuth.Mar 4 2024, 9:28 PM
Bugreporter mentioned this in T367968: Remove centralauth-merge user right from Wikimedia wikis.Jun 20 2024, 3:53 AM
Bugreporter mentioned this in T348388: SUL3: Use a dedicated domain for login and account creation.Jun 24 2024, 8:45 AM
Tgr mentioned this in T214722: Introduce global system users.Jun 24 2024, 11:35 AM
Tgr added a subtask: T214722: Introduce global system users.Jun 24 2024, 11:38 AM
Tgr removed a subtask: T214722: Introduce global system users.
Johannnes89 subscribed.Feb 24 2025, 1:08 PM
matmarex mentioned this in T382292: 'global_user_editcount' variable consistently returning 0 for the 'MediaWiki message delivery' account.Jun 10 2025, 10:38 PM
matmarex removed a parent task: T275935: Please manually attach new MassMessage system accounts on Wikimedia wikis.Jun 10 2025, 11:24 PM
matmarex subscribed.

This problem affects everything using User::newSystemUser(), so I'll rephrase the task.

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJun 10 2025, 11:26 PM
matmarex renamed this task from Have new MassMessage system users be automatically attached to CentralAuth to Have new system users be automatically attached to CentralAuth.Jun 10 2025, 11:26 PM
matmarex removed a project: MassMessage.
matmarex added a parent task: T111686: Attach existing system users to CentralAuth.Jun 10 2025, 11:29 PM
matmarex mentioned this in T111686: Attach existing system users to CentralAuth.Jun 10 2025, 11:40 PM
matmarex added a comment.Jun 10 2025, 11:44 PM

I think we should just add a new hook inside User::newSystemUser() and have CentralAuth implement it. it may be a bit ugly, but other options seem uglier.

A_smart_kitten subscribed.Jun 11 2025, 5:52 AM
JTweed-WMF moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Jun 16 2025, 2:25 PM
Tgr merged a task: T214722: Introduce global system users.Jun 16 2025, 6:20 PM
Tgr added subscribers: Tgr, Bugreporter, Nintendofan885 and 7 others.
Tgr updated the task description. (Show Details)Jun 16 2025, 6:25 PM
Tgr updated the task description. (Show Details)
Tgr added a comment.Jun 16 2025, 6:33 PM

Some considerations from the other task:

In T214722#10906451, @Tgr wrote:

What if the central account does not exist yet? What if it exists but isn't a system user (and you are using the steal flag)? We don't even have an isSystemUser() equivalent for central users.

In T214722#7347220, @Tgr wrote:

Flow does this manually (in TalkpageManager::getTalkpageManager()) by creating a system user and then calling CentralAuthUser::attach( <wiki id>, 'admin' ).

In T214722#9936533, @Bugreporter wrote:

In proposed account vanishing procedure in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/1050675/3/includes/GlobalRename/GlobalRenameUser.php we used User::newSystemUser() with the steal option to make an account unusable. However it will also make the user displayed as system user (isSystemUser) in various places. (The DisableAccount extension already did revoke user's access this way, though it is was not installed in any SUL wikis before undeployed from Wikimedia.)

In T214722#9937981, @Bugreporter wrote:

An alternative solution is to reopen T212720: System users should be in a dedicated user group, which at least provides a better way to detect system accounts than the current one.

Bugreporter added a comment.Jun 17 2025, 1:08 AM

More comments copied from merged tasks:

In T214722#8845922, @Bugreporter wrote:

I propose that we can introduce a new user name format for system user names. For example the abuse filter blocker can be named User:@abusefilter-blocker in every wiki, and a localized named (stored in a MediaWiki message) can be shown in page history, recent changes and logs.

Since @ is not a valid character in new user name there are little risk of conflicts with existing users. There are no conflict with interwiki user name either (which always have a (.+)@([^@]+) format). Such accounts can safely be connected to SUL automatically.

In T214722#10371896, @Bugreporter wrote:

In additional of the issues I described above, I do not believe the current way to detect system users (T212720#5661680) is a "cheap" one. Imagine if we need to filter out edits of system users from recent changes, we must query whether a user is system user one by one. In many cases, login credentials can be provided by an external system that may be another database (e.g. CentralAuth), or not MySQL at all. So it is not possible to join it with recent changes.

JTweed-WMF moved this task from Needs refinement to Not planned (Patches welcome!) on the MediaWiki-Platform-Team board.Aug 28 2025, 2:49 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits