Page MenuHomePhabricator
Create Task
Maniphest T354487

Make CentralAuth auto-creation non-blocking
Open, Needs TriagePublic
Actions

Description

For background, see T348388#9439580.

In a nutshell: make auto-creation always success (disregard local block and abusefilter) and any hook about auto-creation fired after the autocreation is completed (not blocking auto-creation).

This will make CentralAuth autocreation bypass (1) blocks, including local IP/range block and auto block; and (2) AbuseFilter. Note currently some wikis (such as zhwiki) have AbuseFilters disabling some autocreation, and in some case also set to block (cf: T272244). Disabling would no longer be possible, But this may be replacing with an option to block the auto-created account.

This obviously has some strong drawbacks.

Drawback 1: Blocked users or user with locally blocked IP will now be able to create new account, making "prevent account creation" useless.

However:

  • Currently blocked user can already create account as long as there are no (global or local) IP block. They may simply log out and wait 24 hours so that autoblock expire, then they can create new accounts.
  • If auto-block or (global or local) IP block is active, no (non-IPBE) account can edit local wiki.

Some remedies are:

Drawback 2: Users with abusive user names can be autocreated, populating user creation log

Note: I have another reason (independent of SUL3) for this task, see T21161#2645921 (option 4, which I prefer): it proposes to replace the current local-based session with a CentralAuth-based one, and local users will mostly become an internal thing (they are no longer autocreated on visit, but create as needed when we need one). So for example, someone may create an enwiki account becausing then changed a user perference, and it will be very confusing if they can not do it because of they are using a blocked IP (which they can if they already has a local account).

Related Objects

Event Timeline

Bugreporter created this task.Jan 7 2024, 11:51 AM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJan 7 2024, 11:51 AM
Restricted Application added subscribers: Stang, Aklapper. · View Herald Transcript
Bugreporter updated the task description. (Show Details)Jan 7 2024, 2:14 PM
Bugreporter updated the task description. (Show Details)Jan 7 2024, 3:16 PM
Pppery awarded a token.Jan 7 2024, 4:25 PM
Bugreporter mentioned this in T21161: Don't autologin if local account doesn't exist (don't autocreate if user doesn't explicitly login).Jan 7 2024, 5:54 PM
Xaosflux added a project: Community-consensus-needed.Jan 7 2024, 6:25 PM
Xaosflux subscribed.

Communities currently make rules about what account names may be created on their projects, before overriding their decisions by allowing a trivial automatic bypass of their controls on WMF servers this should have a global RFC.

Bugreporter added a comment.Jan 7 2024, 7:25 PM

In a more extreme proposal (https://www.mediawiki.org/wiki/User:Legoktm/evil-plans2.txt) the "local account" concept would be eliminated completely.

NoOnEtHeMaStA added a commit: rMEXTf658c3375869: Update git submodules.Jan 7 2024, 9:15 PM
Aklapper removed a commit: rMEXTf658c3375869: Update git submodules.Jan 7 2024, 9:24 PM
Tgr subscribed.Jan 8 2024, 12:35 AM

We should probably talk to the Anti-Harassment team and stewards and think though the implications of this - we might need better tooling against abuse that can be done just by account autocreation (e.g. spamming the logs with abusive usernames). But in general I thing this would be the way to go - local wikis being able to prevent account creation was always a bad idea that only exists accidentally. It's only possible because "central accounts" aren't truly central, which isn't where we want to be in the long term.

For account creation, we probably still want to prevent usernames that do not comply with the local policy, because it's far better to tell users about account creation than forcing them to request a rename or abandon the account. For autocreation, maybe we could add the ability to show a warning that the user's account is violating local policies, or send an Echo notification (more reliable as the autocreation can be triggered by an AJAX request, especially on Wikidata or Commons).

In T354487#9439710, @Xaosflux wrote:

before overriding their decisions by allowing a trivial automatic bypass of their controls on WMF servers this should have a global RFC.

It would need some sort of consultation. We don't generally use RfCs to make decisions about software architecture, though (well, we used to, but that was a different kind of RfC).

Pppery subscribed.EditedJan 8 2024, 4:50 AM

We don't generally use RfCs to make decisions about software architecture, though.

That's the problem. You see this as a software architecture decision. Xaosflux (and others like myself) see it as a community policy decision instead.

Tgr added a comment.Jan 8 2024, 5:49 AM

I mean it's both, but what is or isn't feasible to build is going to limit the range of available choices. Policy choices that lead to impossible or unmaintainable software are bad policy choices, and I don't think it's possible to arrange a global RfC where participants can really take the feasibility of various software design choices into account. That's why the software exception in WP:CONEXCEPT exists.

Anyway, at this point I don't think we have a good understanding of feasibility ourselves (not so much of this task, specifically, but how it would fit into the wider set of changes needed to migrate authentication flows to a central wiki) so I think this discussion is a bit premature. Concerns duly noted, let's get back to them once we have a better idea of how the authentication framework would have to be changed.

larissagaulia moved this task from Inbox, needs triage to Backlog: non-prioritized on the MediaWiki-Platform-Team board.Jan 8 2024, 4:15 PM
Agabi10 subscribed.Feb 28 2024, 12:20 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL