Page MenuHomePhabricator
Create Task
Maniphest T307828

Separate Special:CreateLocalAccount from autocreateaccount in abuse filters
Open, Needs TriagePublicFeature
Actions

Description

Feature summary (what you would like to be able to do and where):
Create a new abuse filter action for local account creations from Special:CreateLocalAccount to separate them from autocreateaccount. Let the user who create the local account (usually a sysop), instead of the account created, be the action performer.

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):

  • Create an abusefilter to block creation and autocreation of accounts whose names match certain pattern.

Example rules:

(
    action == 'createaccount'
    | action == 'autocreateaccount'
)
& (
    rx := "some pattern";
    accountname irlike rx
)
  • Set warning and prevention as the actions when triggered.
  • Go to Special:CreateLocalAccount and create a local account for some username matching that pattern.
  • The AF we just created is triggered. Abuse log says it was an autocreateaccount action taken by the account who should have been created.

Currently, local account creations from Special:CreateLocalAccount looks the same as the account creating its own local account. This could lead to misinterpreting of abuse logs and difficulties in designing abuse filters.

Benefits (why should this be implemented?):

  • Sysops could be excluded from targets of filters when they manually create local accounts for users who will be caught by the filter but show good records elsewhere.

Other information

Problem was first found on zhwiki (AF194), then reproduced on wikidata.beta.wmflabs.org by User:Stang (AF3).

Related Objects

Event Timeline

Tigerzeng created this task.May 7 2022, 2:33 AM
Restricted Application added subscribers: Ericliu1912, Stang, Aklapper. · View Herald TranscriptMay 7 2022, 2:33 AM
TheresNoTime subscribed.May 7 2022, 2:39 AM
NightWolf1223 subscribed.May 7 2022, 2:57 AM
matej_suchanek subscribed.May 7 2022, 10:55 AM

The chain of calls seems to be:

  • SpecialCreateLocalAccount::onSubmit (CA)
  • CentralAuthForcedLocalCreationService::attemptAutoCreateLocalUserFromName
  • CentralAuthUtilityService::autoCreateUser
  • AuthManager::autoCreateUser (core)
  • AbuseFilterPreAuthenticationProvider::testUserForCreation/::testUser (AF)
  • RunVariableGenerator::getAccountCreationVars

SpecialCreateLocalAccount::onSubmit calls CentralAuthForcedLocalCreationService::attemptAutoCreateLocalUserFromName and provides the performing authority. But CentralAuthForcedLocalCreationService::attemptAutoCreateLocalUserFromName cannot pass the authority further because neither CentralAuthUtilityService::autoCreateUser nor AuthManager::autoCreateUser support that. The information about the performer is thus not available to AbuseFilter.

(The fact that someone is responsible for "autocreating" an account seems to be a contradiction to what the term "autocreate" was originally coined for.)

Xaosflux subscribed.Aug 24 2022, 8:03 PM
Wnme subscribed.Nov 20 2022, 9:51 AM
Johannnes89 subscribed.Nov 20 2022, 10:02 AM
matej_suchanek mentioned this in T323969: AbuseFilter: Apparent bug with Special:CreateLocalAccount.Nov 29 2022, 7:34 AM
Dragoniez subscribed.Dec 2 2022, 10:25 AM
Dragoniez added a comment.Dec 21 2023, 6:20 PM

(Just adding a mention) T307827

Bugreporter merged a task: T360765: Abuse Filter, Special:CreateLocalAccount and type of created accounts.Mar 22 2024, 11:43 AM
Bugreporter added a subscriber: LD.
LD added a subscriber: Bugreporter.Mar 22 2024, 11:49 AM

@Bugreporter , T360765 added other features that are not mentionned in T307828 which are linked to T234155, T50623 and T290324, or even T130439 which is solved, as global variables and restricted view-only. I wouldn't have merged even if T307828 has to be solved to implement other features.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL