Page MenuHomePhabricator
Create Task
Maniphest T338384

CentralAuth locks should disable linked Phabricator account
Open, LowPublicFeature
Actions

Description

Feature summary (what you would like to be able to do and where):
When a CentralAuth account is locked, the Phabricator account associated with the locked CA account should be logged out.

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):
Some spammers/vandals will spam/vandalize both the wikis and Phabricator. When this happens, their accounts are often locked. However, those users are still able to continue spamming/vandalizing on Phabricator until they are blocked on Phabricator as well.

Benefits (why should this be implemented?):

[19:13:38] <RhinosF1>	 And disabled the account via phab-ban
[19:27:05] <Nemo_bis>	 Hmm. Most of the comments happened after the account had already been locked on Meta. I guess that doesn't help if one has already logged in.
[19:31:14] <RhinosF1>	 Nope
[19:31:19] <AntiComposite>	 yeah, unfortunately locks don't kill the phab session
[19:31:38] <RhinosF1>	 Unlike with ldap, disabling linked account doesn't invalidate anything
[19:31:41] <RhinosF1>	 Maybe it should
[20:18:41] <bd808>	 RhinosF1: it could actually... we would basically just need to write the same kind of block/unblock hook handlers that are active for wikitech to fire when folks are blocked on mediawiki.org and/or globally. That might be worth a ticket and discussion. The code is a bit of work but mostly "easy" to put together.
[20:22:38] <RhinosF1>	 bd808: the code is the easy bit
[20:22:48] <RhinosF1>	 The discussion is the hard part
[20:23:32] <bd808>	 In this particular case the group to discuss the change is relatively small and technical I think, but I agree
[20:25:29] <RhinosF1>	 bd808: it's wikimedia

Details

Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
Draft: Disable Phab user when their SUL account is globally lockedrepos/phabricator/phabricator!87aklapperT338384caLockwmf/stable
Customize query in GitLab

Related Objects

Event Timeline

AntiCompositeNumber created this task.Jun 7 2023, 8:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 7 2023, 8:31 PM
RhinosF1 awarded a token.Jun 7 2023, 8:32 PM
Restricted Application added a subscriber: RhinosF1. · View Herald TranscriptJun 7 2023, 8:32 PM
Reedy subscribed.Jun 7 2023, 8:42 PM

I suspect most of the code can be used verbatim (ideally some refactoring to reduce duplication, some common class, that probably still lives in wmf-config, but whatever).

Really, the only part that probably needs updating is this, as we don't want to do an ldapname look up (I'd guess):

		$username = $block->getTargetName();
		$resp = wmfPhabClient( $wmgPhabricatorApiToken, 'user.ldapquery', [
			'ldapnames' => [ $username ],
			'offset' => 0,
			'limit' => 1,
		] );
TheresNoTime subscribed.Jun 7 2023, 8:42 PM
Reedy added a project: WMF-General-or-Unknown.Jun 7 2023, 8:42 PM
taavi subscribed.Jun 7 2023, 8:45 PM

Yeah. And a check to only process users that have a mediawikiwiki should deal with most performance concerns I have.

Is there a suitable hook in CentralAuth already?

Reedy added a comment.Jun 7 2023, 8:45 PM
[21:44:43] <bd808> Reedy: https://phabricator.wikimedia.org/conduit/method/user.mediawikiquery/
[21:44:51] <Reedy> oh look at that, so simple ;P
		$username = $block->getTargetName();
		$resp = wmfPhabClient( $wmgPhabricatorApiToken, 'user.mediawikiquery', [
			'names' => [ $username ],
			'offset' => 0,
			'limit' => 1,
		] );
bd808 subscribed.Jun 7 2023, 8:46 PM

https://phabricator.wikimedia.org/conduit/method/user.mediawikiquery/ is the API to call with a SUL account username.

bd808 added a comment.Jun 7 2023, 9:17 PM

T222209: Cleanup logging and curl use in wikitech post-block hooks could also be addressed when implementing this. Code could be extracted from https://gerrit.wikimedia.org/r/plugins/gitiles/operations/mediawiki-config/+/refs/heads/master/wmf-config/wikitech.php and moved to a file that can be used from more than just wikitech.

Peachey88 subscribed.Jun 7 2023, 9:32 PM
Quiddity awarded a token.Jun 8 2023, 2:57 AM
Nemo_bis subscribed.Jun 8 2023, 6:14 AM
Agent_Isai subscribed.Jul 11 2023, 6:07 AM
Aklapper moved this task from To Triage to Needs code (in Phab or bot) on the Phabricator board.Jul 12 2023, 8:08 PM
Tgr subscribed.Oct 5 2023, 2:15 AM
In T338384#8911697, @taavi wrote:

Is there a suitable hook in CentralAuth already?

Doesn't seem so.

But then if there is a risk of abuse of technical spaces, wouldn't you want to block the user on wikitech (which does log them out from Phabricator) anyway?

kostajh renamed this task from CentralAuth locks should logged linked users out of Phabricator to CentralAuth locks should log linked users out of Phabricator.Oct 5 2023, 6:22 AM
Aklapper added a comment.Oct 5 2023, 6:52 AM
In T338384#9226941, @Tgr wrote:

wouldn't you want to block the user on wikitech (which does log them out from Phabricator) anyway?

If an LDAP/wikitech account was linked to the Phabricator account that would probably make sense; most of the time there is not (but only a SUL account).

Aklapper triaged this task as Low priority.Nov 29 2023, 8:27 PM
Bugreporter moved this task from Backlog to Global account management (lock/hide/suppress) on the MediaWiki-extensions-CentralAuth board.Jan 17 2024, 12:49 PM
Bugreporter mentioned this in T359211: Add a "reason" field in phab-ban tool.Mar 5 2024, 7:17 PM
Bugreporter mentioned this in T359212: Phabricator admins should have access to phab-ban tool.Mar 5 2024, 7:20 PM
Bugreporter renamed this task from CentralAuth locks should log linked users out of Phabricator to CentralAuth locks should disable linked Phabricator account.Mar 5 2024, 7:34 PM
Bugreporter subscribed.EditedMar 5 2024, 7:36 PM

Note:

Update:

  • Unlike disabling LDAP accounts and global locks (which Tgr suggest to completely migrate to global blocks), local and global blocks can be time-limited and MediaWiki currently does not provide ways to notify block expiration. In addition if account is to be reenabled once block expired, we should make sure not to reenable accounts disabled before such blocks, otherwise any MediaWiki admins (if we disable account based on MediaWiki.org block, currently we does not) can reenable a WMF banned user.
Aklapper merged a task: Restricted Task.May 19 2024, 6:47 PM
Aklapper added subscribers: Yann, DannyS712, zhuyifei1999 and 5 others.
Xaosflux subscribed.May 19 2024, 8:44 PM

If this "disables" the phab account, will a new story of "CentralAuth unlocks should enable linked Phabricator account" be also addressed?

Aklapper added a comment.Aug 14 2024, 11:37 AM

If anyone wanted to write custom code to query global locks on connected SUL accounts before UPDATEing a Phab user's sessionKey, per past discussions in https://secure.phabricator.com/T4806 that should likely go into loadUserForSession() in https://phabricator.wikimedia.org/source/phabricator/browse/wmf%252Fstable/src/applications/auth/engine/PhabricatorAuthSessionEngine.php

Izno subscribed.Aug 21 2024, 3:20 PM
Pppery removed a project: WMF-General-or-Unknown.Nov 27 2024, 12:50 AM
CodeReviewBot added a project: Patch-For-Review.Apr 4 2025, 9:20 AM

aklapper opened https://gitlab.wikimedia.org/repos/phabricator/phabricator/-/merge_requests/87

Log out Phab user when their SUL account is globally locked

Aklapper claimed this task.Apr 4 2025, 9:21 AM
Aklapper added a project: Release-Engineering-Team (Doing 😎).
Bugreporter added a comment.Apr 4 2025, 9:32 AM

Note we should also consider unlocks - e.g. Last week WMF locked more than 30k compromised account. Imagine we also disabled the linked Phabricator account, and later someone is unlocked, they will be confused that their Phabricator account is still disabled.

Aklapper added a comment.Apr 4 2025, 9:42 AM

Right, I was thinking of only logging out the Phab user (less work for admins because no manual re-enabling) instead of disabling their account (but that is way clearer communication to anyone instead of "why do I always get logged out"). I'm a bit torn.

How often do we remove global locks? Are there any percentages available?

Bugreporter added a comment.EditedApr 4 2025, 9:51 AM

Even if removal of global locks is not often, the issue is most stewards (plus WMFOffice) are not Phabricator admins, so they can not reenable Phabricator accounts. Also, they may not be aware that there are Phabricator account to be reenabled.

Also global blocks for accounts currently exists and is planned to completely replace global locks (T373388). Unlike global locks, global blocks can be temporary.

Aklapper added a comment.Apr 4 2025, 10:27 AM

There is no way to store why a Phab account got disabled so there is not much sense in adding code to check at Phab login if a SUL account is locked or not.

Bugreporter added a comment.Apr 4 2025, 11:00 AM

But at least it is known who is disabling the Phabricator account (example), and thus we can exclude accounts disabled by an admin (including PhabBanBot).

Aklapper added a comment.Apr 4 2025, 11:14 AM

Note that our Antivandalism code does not leave an entry that it disabled a Phabricator account (patches welcome to change that behavior).

Bugreporter added a comment.Apr 4 2025, 11:15 AM
This comment was removed by Bugreporter.
Bugreporter added a comment.Apr 4 2025, 11:25 AM
In T338384#10712366, @Aklapper wrote:

Note that our Antivandalism code does not leave an entry that it disabled a Phabricator account (patches welcome to change that behavior).

Actually https://gerrit.wikimedia.org/r/plugins/gitiles/phabricator/antivandalism/+/refs/heads/wmf/stable/src/herald/AntiVandalismAction.php#420 added a log with a very specific story type (AntiVandalismFeedStory), and we probably can query this. This is different from those accounts disabled by admins.

Aklapper added a comment.Apr 4 2025, 11:41 AM

Oh true, it is listed in the "global" feed but not in the per-user page feed.

Aklapper removed Aklapper as the assignee of this task.Jul 16 2025, 11:46 AM
Aklapper edited projects, added Release-Engineering-Team (Priority Backlog 📥); removed Release-Engineering-Team (Doing 😎).
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJul 16 2025, 11:46 AM
Aklapper added a comment.Jul 21 2025, 11:09 AM

IIRC Tyler mentioned that Bitu can block Gerrit accounts; check maybe there's something similar for Phab accounts too?

JTweed-WMF edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.Jul 21 2025, 2:43 PM
bd808 added a comment.Jul 21 2025, 3:46 PM
In T338384#11019978, @Aklapper wrote:

IIRC Tyler mentioned that Bitu can block Gerrit accounts; check maybe there's something similar for Phab accounts too?

Bitu current supports blocking/disabling Gerrit, GitLab, and Phabricator accounts that are linked to a Developer account when it is disabled. This was the old Wikitech blocking ported to Bitu when Wikitech was separated from Developer accounts in October 2024. https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/bitu/+/refs/heads/master/src/bitu/wikimedia/jobs.py#99

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits