Page MenuHomePhabricator

In UserGroupManager::getUserImplicitGroups, add temporary users to a 'temp' group instead of the 'user' group
Closed, ResolvedPublic

Description

This is for T330816: [Epic] Temporary users should not be assigned to user groups. See also T330816#8958447.

Currently, temp users are added to the 'user' group, along with users who create an account. Users who create an account are also added to a 'named' group. If we kept the status quo, then communities would have to actively remove rights from the 'user' group if they didn't want temp users to have them, and give those rights to the 'named' group instead.

We're instead going to introduce a 'temp' user group. Temporary users will be added to the 'temp' group instead of the 'user' group, meaning that if communities do nothing (change no configuration), temp users will not have any more rights than are assigned to the '*' group. Communities must actively give them rights by assigning rights to the 'temp' group.

(We still keep the 'named' group, in case a future product decision is taken to assign temporary users to the 'user' group.)

Related Objects

StatusSubtypeAssignedTask
In ProgressNiharika
OpenNone
OpenTchanders
OpenNone
ResolvedSTran
ResolvedUmherirrender
Resolved AGueyte
Duplicate AGueyte
ResolvedSTran
Resolved Dreamy_Jazz
OpenSTran
OpenSTran
OpenSTran
OpenSTran
OpenSTran
OpenNone
OpenNone
OpenNone
OpenSTran
ResolvedSTran
ResolvedBUG REPORT Dreamy_Jazz
OpenNone
Resolved TThoabala
Resolved TThoabala
Resolved TThoabala
Resolved AGueyte
ResolvedBUG REPORT AGueyte
ResolvedBUG REPORT AGueyte
Resolved AGueyte
Resolved AGueyte
ResolvedCyndymediawiksim
DuplicateNone
OpenNone
ResolvedTchanders
ResolvedTchanders

Event Timeline

Note that temporary users will no longer be able to edit if the site has the following configuration:

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['edit'] = true;

without also setting:

$wgGroupPermissions['temp']['edit'] = true;

Change 932292 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/core@master] Add temporary users to a 'temp' group, and stop adding them to 'user'

https://gerrit.wikimedia.org/r/932292

Testing steps

Note the following:

Note that temporary users will no longer be able to edit if the site has the following configuration:

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['edit'] = true;

without also setting:

$wgGroupPermissions['temp']['edit'] = true;

Therefore merging this patch depends on merging this config change, so that temporary users can still edit on German beta: https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/933974

Test rights locally

(There's no need to test every one of these permissions.)

Test rights on beta dewiki

Similar to the above, but the precise rights depend on which groups are given which rights in the configuration. These are summarised here: https://de.wikipedia.beta.wmflabs.org/wiki/Spezial:Gruppenrechte (Again though, no need to test them all.)

Checking group membership

It might be worth checking the group membership of some users, using something along these lines in the dev tools console:

mw.user.getGroups( function ( groups ) {
    console.log(groups);
} );
  • anon users should have *
  • temp users should have * and temp
  • fully-registered users who haven't been added to any additional groups should have *, user and named

Change 933974 had a related patch set uploaded (by Tchanders; author: Tchanders):

[operations/mediawiki-config@master] Assign 'edit' right to the 'temp' group in dewiki

https://gerrit.wikimedia.org/r/933974

Change 933974 merged by jenkins-bot:

[operations/mediawiki-config@master] Assign 'edit' right to the 'temp' group in dewiki

https://gerrit.wikimedia.org/r/933974

Change 932292 merged by jenkins-bot:

[mediawiki/core@master] Add temporary users to a 'temp' group, and stop adding them to 'user'

https://gerrit.wikimedia.org/r/932292

This is merged now. I confirmed that I can still edit and create a temporary user on German beta. Also that I now get an error when visiting https://de.m.wikipedia.beta.wmflabs.org/wiki/Special:Upload

dom_walden subscribed.
  • anon users should have *

I don't know if I can check the user groups of an IP (I couldn't via the API). But (as pointed out in T340457#8986418) as an anon user I could create a new page which created a temporary account.

  • temp users should have * and temp

Yep, for both pre-existing temp users and temp users created since this change was merged. For example, via the API:

{
    "userid": 16943,
    "name": "*Unregistered 4649",
    "editcount": 1,
    "registration": "2023-07-04T09:56:25Z",
    "groups": [
        "*",
        "temp"
    ],
    "groupmemberships": [],
    "implicitgroups": [
        "*",
        "temp"
    ],
    "rights": [
        "patrolmarks",
        "createaccount",
        "read",
        "edit",
        "createpage",
        "createtalk",
        "writeapi",
        "viewmywatchlist",
        "editmywatchlist",
        "viewmyprivateinfo",
        "editmyprivateinfo",
        "editmyoptions",
        "urlshortener-create-url",
        "centralauth-merge",
        "abusefilter-view",
        "abusefilter-log",
        "vipsscaler-test",
        "flow-hide",
        "flow-edit-title"
    ],
    "emailable": false,
    "gender": "unknown",
    "centralids": {
        "CentralAuth": 225309,
        "local": 16943
    },
    "attachedlocal": {
        "CentralAuth": true,
        "local": true
    }
}
  • fully-registered users who haven't been added to any additional groups should have *, user and named

Yep.

Test environment: https://de.wikipedia.beta.wmflabs.org MediaWiki 1.41.0-alpha (b284103) 11:33, 4 July 2023.