Page MenuHomePhabricator

Determine who can add/remove users from the no-ipinfo group
Open, Needs TriagePublic

Description

T303858 created a no-ipinfo group to revoke access to IPInfo for individual users in a given project. However, no user can, by default, add or remove anyone to or from that group.

On Wikimedia wikis, stewards and some WMF staff members in privileged local or global user groups are able to. Apparently this is how the Foundation wanted it for now per the guidelines.

While for now IPInfo is not offering any data not already visible or available, this is probably not urgent, but as the IP masking project progresses, it'd be good to determine if we want to allow local users to manage this group, and if so, which one(s).

I suggest we allow administrators to add/remove users to/from that group via the IPInfo extension.json.

Partially off-topic question: what do we do if we need to revoke an user access to IPInfo globally, across several or all Wikimedia projects? CentralAuth's global user rights, as far as I know, do not support a function such as $wgRevokePermissions, and adding the no-ipinfo group on 700+ wikis, manually, does not scale.

Thanks.

Event Timeline

I'm adding some info about this new user group on Meta-Wiki (Wikidata item) just in case people wonders what is this about.

Change 803464 had a related patch set uploaded (by MarcoAurelio; author: MarcoAurelio):

[mediawiki/extensions/IPInfo@master] Allow administrators to add and remove the no-ipinfo right by default

https://gerrit.wikimedia.org/r/803464

Would it not be worth leaving it as bureaucrat for grant/revoke for now?

Would it not be worth leaving it as bureaucrat for grant/revoke for now?

No objections to change it to bureaucrats if you think it's best. We can always customise our wmf-config later and leave this as the default for non-WMF sites.

Hello @Niharika. What's your opinion regarding @TheresNoTime proposal to use bureaucrat instead of sysop for the extension default? Thanks.

According to the foundationwiki document it looks like the config for our sites is to have stewards manage this user right. However this extension.json patch is for other MW sites out there. If merged, however, we'll need a config patch at rOMWC Wikimedia - MediaWiki Config to disable bureaucrats to manage this.

Partially off-topic question: what do we do if we need to revoke an user access to IPInfo globally, across several or all Wikimedia projects? CentralAuth's global user rights, as far as I know, do not support a function such as $wgRevokePermissions, and adding the no-ipinfo group on 700+ wikis, manually, does not scale.

Doesn't Special:GlobalGroupPermissions support creating global groups with arbitrary (revoked) permissions? If not, then that is also a problem...

Doesn't Special:GlobalGroupPermissions support creating global groups with arbitrary (revoked) permissions? If not, then that is also a problem...

As of today, no. That's why I mentioned it above. In any case, I do not think we should rely on User Rights (either local or global) to restrict access to this functionality.

Change 803464 abandoned by MarcoAurelio:

[mediawiki/extensions/IPInfo@master] Allow administrators to add and remove the no-ipinfo right by default

Reason:

Probably requires more discussion. Still not sure that using UserRights to *revoke* someone's ability to view IP Info data is okay.

https://gerrit.wikimedia.org/r/803464