Page MenuHomePhabricator

Create a group that revokes all ipinfo* rights
Closed, InvalidPublic



A user will have one or more rights granted by being a member of a group. In a similar way, a user may those rights revoked by either:

  1. Being removed from that group; or
  2. Being a member of a group that revokes those rights.

with the latter taking precedence over the former. For more detail, see the MediaWiki Manual entries for $wgGroupPermissions and $wgRevokePermissions.

T296184: Automatically promote users to the group that grants basic rights proposes using the autopromote mechanism to add users to the group created in T296085: Create a group that grants basic ipinfo* rights. However, the autopromote mechanism doesn't add the user to the group but rather adds an effective (or implicit) group membership, i.e. a user can't be removed from a group that they've been autopromoted to. Therefore, we need to create a group that revokes all ipinfo* rights.

  • Create a group that revokes the ipinfo, ipinfo-view-basic, and ipinfo-view-full rights
  • Users in the group must not be able to remove themselves from it
$wgGroupsRemoveFromSelf[ 'ipinfo-revoked' ] = false;

should be read as "users in the ipinfo-revoked group cannot remove themselves from it."

Event Timeline

Let me echo @Huji's comments from T296085:

Dumb question: why do you need a new group here?

In MediaWiki core and in all key extensions, the default choice is that "Bureaucrat" group is the one who assigns and revokes all other groups.

In WMF, this is often overridden (e.g. we have a custom "steward" group that can assign/revoke many other groups).

Point being: why not use Bureaucrat as the default assigner/revoker of IP Info related groups?