Page MenuHomePhabricator

Figure out how to force-logout users cross-wiki
Open, Needs TriagePublic

Description

If $wgBlockDisablesLogin is set to true, blocked users can no longer log in. Since T129738 we know that it is necessary reset the users auth token in order to 'force-logout' them. In DatabaseBlockStore this is being done by the following code.

if ( $this->options->get( 'BlockDisablesLogin' ) ) {
	$targetUserIdentity = $block->getTargetUserIdentity();
	if ( $targetUserIdentity ) {
		$targetUser = $this->userFactory->newFromUserIdentity( $targetUserIdentity );
		// Change user login token to force them to be logged out.
		$targetUser->setToken();
		$targetUser->saveSettings();
	}
}

Now we want to properly support cross-wiki blocking. This includes that we need to figure out how to reset the auth token cross-wiki, since full user objects can only represent local users, in order to force-logout users if wgBlockDisablesLogin is set to true.

Event Timeline

Aklapper changed the task status from In Progress to Open.Oct 4 2021, 9:51 PM
Aklapper added a subscriber: Armando805ox.

@Armando805ox: It is unclear to me why you made these changes.

Pchelolo added a subscriber: Pchelolo.

This is a tricky beast. This is one of the things that we don't have a cross-wiki replacement for yet. Need to think about that, especially with conjunction with CentralAuth.