Background
A user will have one or more rights granted by being a member of a group. In a similar way, a user may those rights revoked by either:
- Being removed from that group; or
- Being a member of a group that revokes those rights.
with the latter taking precedence over the former. For more detail, see the MediaWiki Manual entries for $wgGroupPermissions and $wgRevokePermissions.
T296184: Automatically promote users to the group that grants basic rights proposes using the autopromote mechanism to add users to the group created in T296085: Create a group that grants basic ipinfo* rights. However, the autopromote mechanism doesn't add the user to the group but rather adds an effective (or implicit) group membership, i.e. a user can't be removed from a group that they've been autopromoted to. Therefore, we need to create a group that revokes all ipinfo* rights.
AC
- Create a group that revokes the ipinfo, ipinfo-view-basic, and ipinfo-view-full rights
- Users in the group must not be able to remove themselves from it
Notes
- This group can be defined in extension.json. See https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Extension.json/Schema#RevokePermissions for more detail
- The above also links to the MediaWiki Manual entry for $wgRevokePermissions
- $wgGroupsRemoveFromSelf controls groups users can remove themselves from, e.g.
$wgGroupsRemoveFromSelf[ 'ipinfo-revoked' ] = false;
should be read as "users in the ipinfo-revoked group cannot remove themselves from it."