For background, see T348388#9439580.
In a nutshell: make auto-creation always success (disregard local block and abusefilter) and any hook about auto-creation fired after the autocreation is completed (not blocking auto-creation).
This will make CentralAuth autocreation bypass (1) blocks, including local IP/range block and auto block; and (2) AbuseFilter. Note currently some wikis (such as zhwiki) have AbuseFilters disabling some autocreation, and in some case also set to block (cf: T272244). Disabling would no longer be possible, But this may be replacing with an option to block the auto-created account.
This obviously has some strong drawbacks.
Drawback 1: Blocked users or user with locally blocked IP will now be able to create new account, making "prevent account creation" useless.
However:
- Currently blocked user can already create account as long as there are no (global or local) IP block. They may simply log out and wait 24 hours so that autoblock expire, then they can create new accounts.
- If auto-block or (global or local) IP block is active, no (non-IPBE) account can edit local wiki.
Some remedies are:
- For known abusing IP/range and open proxies, globally block them so no accounts can be created.
- For anon-only soft block, a solution is T323948: Blocking all non-confirmed users on an IP or IP range (aka range block against sleeper accounts)
- Increase the time of autoblock, see T43479: [Spam/vandalism] Raise $wgAutoblockExpiry noticeably and T27305: Add a way to extend autoblock to longer than 1 day - Note if I read the task correctly, the current blocker of increasing $wgAutoblockExpiry is not a technical one, but a social one, namely we need to measure how increasing it is effective.
Drawback 2: Users with abusive user names can be autocreated, populating user creation log
- We can restrict the user creation log to some trusted user, or stop logging auto-creation, but are they right things we want to do?
- One of solution T21161: Don't autologin if local account doesn't exist (don't autocreate if user doesn't explicitly login) will reduce the number of auto-created account, but it does not completely solve the problem
Note: I have another reason (independent of SUL3) for this task, see T21161#2645921 (option 4, which I prefer): it proposes to replace the current local-based session with a CentralAuth-based one, and local users will mostly become an internal thing (they are no longer autocreated on visit, but create as needed when we need one). So for example, someone may create an enwiki account becausing then changed a user perference, and it will be very confusing if they can not do it because of they are using a blocked IP (which they can if they already has a local account).