Page MenuHomePhabricator

Revoke changetags permissions from the 'Users' group
Closed, ResolvedPublic

Description

The meta community decided that the changetags permission should be revoked from the user usergroup and should only be available to sysops and bots.

https://meta.wikimedia.org/wiki/Meta:Babel#Revoke_changetags_permissions_from_the_"Users"_group

Event Timeline

Zabe renamed this task from Restrict changetag to 'autoconfirmed' users on meta to Restrict changetagx to 'autoconfirmed' users on meta.Tue, May 25, 7:47 PM
Zabe renamed this task from Restrict changetagx to 'autoconfirmed' users on meta to Restrict changetags to 'autoconfirmed' users on meta.
Zabe renamed this task from Restrict changetags to 'autoconfirmed' users on meta to Restrict changetags to ??? users on meta.EditedTue, May 25, 7:56 PM
Zabe changed the task status from Open to Stalled.

Okay, I just read through the discussion and there isn't that much consensus for what restrict this to.

Zabe renamed this task from Restrict changetags to ??? users on meta to Restrict changetags to 'autoconfirmed' users on meta.Tue, May 25, 8:58 PM
Zabe changed the task status from Stalled to Open.

Change 694686 had a related patch set uploaded (by Zabe; author: Zabe):

[operations/mediawiki-config@master] Restrict changetags to 'autoconfirmed' users on meta

https://gerrit.wikimedia.org/r/694686

Given how scarcely the permission is used, and that there has been abuse from autoconfirmed users as well, I think it'd be best if for now we removed applychangetags and changetags from the user group, and granted them instead to the bot and sysop groups only.

Granting the permission to autopatrolled users is a more complex config change as such flag is usually revoked upon being promoted to other user groups, and would mean adding those permissions to a bunch of other local groups in order to keep an equivalent level of access for no benefit, as neither autopatrolled nor other user groups seem to actively need these permissions.

Zabe renamed this task from Restrict changetags to 'autoconfirmed' users on meta to Revoke changetags permissions from the 'Users' group.Thu, Jun 3, 10:40 PM
Zabe triaged this task as Medium priority.

Change 694686 merged by jenkins-bot:

[operations/mediawiki-config@master] Restrict changetags to sysops and bots on meta

https://gerrit.wikimedia.org/r/694686

Mentioned in SAL (#wikimedia-operations) [2021-06-03T23:09:02Z] <thcipriani@deploy1002> Synchronized wmf-config/InitialiseSettings.php: Config: [[gerrit:694686|Restrict changetags to sysops and bots on meta]] T283625 (duration: 00m 58s)

Given how scarcely the permission is used, and that there has been abuse from autoconfirmed users as well, I think it'd be best if for now we removed applychangetags and changetags from the user group, and granted them instead to the bot and sysop groups only.

Granting the permission to autopatrolled users is a more complex config change as such flag is usually revoked upon being promoted to other user groups, and would mean adding those permissions to a bunch of other local groups in order to keep an equivalent level of access for no benefit, as neither autopatrolled nor other user groups seem to actively need these permissions.

Restricted changetags to sysops and bots for now. Haven't done for applychangetags (yet), since this was not realy part of the discussion.