Page MenuHomePhabricator
Create Task
Maniphest T338384

CentralAuth locks should disable linked Phabricator account
Open, LowPublicFeature
Actions

Description

Feature summary (what you would like to be able to do and where):
When a CentralAuth account is locked, the Phabricator account associated with the locked CA account should be logged out.

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):
Some spammers/vandals will spam/vandalize both the wikis and Phabricator. When this happens, their accounts are often locked. However, those users are still able to continue spamming/vandalizing on Phabricator until they are blocked on Phabricator as well.

Benefits (why should this be implemented?):

[19:13:38] <RhinosF1>	 And disabled the account via phab-ban
[19:27:05] <Nemo_bis>	 Hmm. Most of the comments happened after the account had already been locked on Meta. I guess that doesn't help if one has already logged in.
[19:31:14] <RhinosF1>	 Nope
[19:31:19] <AntiComposite>	 yeah, unfortunately locks don't kill the phab session
[19:31:38] <RhinosF1>	 Unlike with ldap, disabling linked account doesn't invalidate anything
[19:31:41] <RhinosF1>	 Maybe it should
[20:18:41] <bd808>	 RhinosF1: it could actually... we would basically just need to write the same kind of block/unblock hook handlers that are active for wikitech to fire when folks are blocked on mediawiki.org and/or globally. That might be worth a ticket and discussion. The code is a bit of work but mostly "easy" to put together.
[20:22:38] <RhinosF1>	 bd808: the code is the easy bit
[20:22:48] <RhinosF1>	 The discussion is the hard part
[20:23:32] <bd808>	 In this particular case the group to discuss the change is relatively small and technical I think, but I agree
[20:25:29] <RhinosF1>	 bd808: it's wikimedia

Related Objects

Event Timeline

AntiCompositeNumber created this task.Jun 7 2023, 8:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 7 2023, 8:31 PM
RhinosF1 awarded a token.Jun 7 2023, 8:32 PM
Restricted Application added a subscriber: RhinosF1. · View Herald TranscriptJun 7 2023, 8:32 PM
Reedy subscribed.Jun 7 2023, 8:42 PM

I suspect most of the code can be used verbatim (ideally some refactoring to reduce duplication, some common class, that probably still lives in wmf-config, but whatever).

Really, the only part that probably needs updating is this, as we don't want to do an ldapname look up (I'd guess):

		$username = $block->getTargetName();
		$resp = wmfPhabClient( $wmgPhabricatorApiToken, 'user.ldapquery', [
			'ldapnames' => [ $username ],
			'offset' => 0,
			'limit' => 1,
		] );
TheresNoTime subscribed.Jun 7 2023, 8:42 PM
Reedy added a project: WMF-General-or-Unknown.Jun 7 2023, 8:42 PM
taavi subscribed.Jun 7 2023, 8:45 PM

Yeah. And a check to only process users that have a mediawikiwiki should deal with most performance concerns I have.

Is there a suitable hook in CentralAuth already?

Reedy added a comment.Jun 7 2023, 8:45 PM
[21:44:43] <bd808> Reedy: https://phabricator.wikimedia.org/conduit/method/user.mediawikiquery/
[21:44:51] <Reedy> oh look at that, so simple ;P
		$username = $block->getTargetName();
		$resp = wmfPhabClient( $wmgPhabricatorApiToken, 'user.mediawikiquery', [
			'names' => [ $username ],
			'offset' => 0,
			'limit' => 1,
		] );
bd808 subscribed.Jun 7 2023, 8:46 PM

https://phabricator.wikimedia.org/conduit/method/user.mediawikiquery/ is the API to call with a SUL account username.

bd808 added a comment.Jun 7 2023, 9:17 PM

T222209: Cleanup logging and curl use in wikitech post-block hooks could also be addressed when implementing this. Code could be extracted from https://gerrit.wikimedia.org/r/plugins/gitiles/operations/mediawiki-config/+/refs/heads/master/wmf-config/wikitech.php and moved to a file that can be used from more than just wikitech.

Peachey88 subscribed.Jun 7 2023, 9:32 PM
Quiddity awarded a token.Jun 8 2023, 2:57 AM
Nemo_bis subscribed.Jun 8 2023, 6:14 AM
Agent_Isai subscribed.Jul 11 2023, 6:07 AM
Aklapper moved this task from To Triage to Needs code (in Phab or bot) on the Phabricator board.Jul 12 2023, 8:08 PM
Tgr subscribed.Oct 5 2023, 2:15 AM
In T338384#8911697, @taavi wrote:

Is there a suitable hook in CentralAuth already?

Doesn't seem so.

But then if there is a risk of abuse of technical spaces, wouldn't you want to block the user on wikitech (which does log them out from Phabricator) anyway?

kostajh renamed this task from CentralAuth locks should logged linked users out of Phabricator to CentralAuth locks should log linked users out of Phabricator.Oct 5 2023, 6:22 AM
Aklapper added a comment.Oct 5 2023, 6:52 AM
In T338384#9226941, @Tgr wrote:

wouldn't you want to block the user on wikitech (which does log them out from Phabricator) anyway?

If an LDAP/wikitech account was linked to the Phabricator account that would probably make sense; most of the time there is not (but only a SUL account).

Aklapper triaged this task as Low priority.Nov 29 2023, 8:27 PM
Bugreporter moved this task from Backlog to Global account management (lock/hide/suppress) on the MediaWiki-extensions-CentralAuth board.Jan 17 2024, 12:49 PM
Bugreporter mentioned this in T359211: Add a "reason" field in phab-ban tool.Mar 5 2024, 7:17 PM
Bugreporter mentioned this in T359212: Phabricator admins should have access to phab-ban tool.Mar 5 2024, 7:20 PM
Bugreporter renamed this task from CentralAuth locks should log linked users out of Phabricator to CentralAuth locks should disable linked Phabricator account.Mar 5 2024, 7:34 PM
Bugreporter subscribed.EditedMar 5 2024, 7:36 PM

Note:

Update:

  • Unlike disabling LDAP accounts and global locks (which Tgr suggest to completely migrate to global blocks), local and global blocks can be time-limited and MediaWiki currently does not provide ways to notify block expiration. In addition if account is to be reenabled once block expired, we should make sure not to reenable accounts disabled before such blocks, otherwise any MediaWiki admins (if we disable account based on MediaWiki.org block, currently we does not) can reenable a WMF banned user.
Aklapper merged a task: Restricted Task.May 19 2024, 6:47 PM
Aklapper added subscribers: Yann, DannyS712, zhuyifei1999 and 5 others.
Xaosflux subscribed.May 19 2024, 8:44 PM

If this "disables" the phab account, will a new story of "CentralAuth unlocks should enable linked Phabricator account" be also addressed?

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL