Page MenuHomePhabricator
Create Task
Maniphest T355286

[Epic] Globally blocking a temporary account should prevent further account creations
Open, Needs TriagePublic
Actions

Description

Background

Temporary users have global accounts, the same as fully registered users. Once T17294: Allow blocking of global accounts is complete, we should be able to globally block temporary accounts. However there is nothing stopping the user from creating a new temporary account on their next edit after they end their session (such as via clearing cookies or using a different browser).

Possible approach

This could involve solving T17294: Allow blocking of global accounts and allowing autoblocks - so a temporary account could be globally blocked with an autoblocking block. (See also T340275, but it will likely be merged into T17294 as they can be solved together.)

Additional questions about the block itself:

  • How long for?
  • Account creation only? (would allow already-created temp users to keep editing)

Related Objects
Search...

StatusSubtypeAssignedTask
 In Progress NiharikaT324492 Temporary accounts - MVP
 OpenNoneT326816 Update features for IP Masking
 OpenNoneT355286 [Epic] Globally blocking a temporary account should prevent further account creations
 OpenSkizzerzT17294 Allow blocking of global accounts
 OpenDreamy_JazzT356990 GlobalBlocking extension has poor test coverage
 OpenNoneT358777 Rename messages with the '-new' suffix to remove this suffix
 OpenNoneT358776 Remove old versions of GlobalBlocking i18n messages
 OpenNoneT358773 Remove the global accounts block configuration flag
 OpenNoneT356924 Deploy global account blocks to WMF wikis
 OpenNoneT356926 Add support to block global accounts using the globalblock API
 OpenNoneT356929 Allow SpecialRemoveGlobalBlock to remove a global block on an account
 ResolvedDreamy_JazzT356931 Support modifying the status of global blocks on accounts using Special:GlobalBlockStatus
 OpenNoneT356932 Allow Special:GlobalBlockList to show global blocks for accounts
 ResolvedDreamy_JazzT359584 Provide action links on Special:Log for global block entries
 OpenDreamy_JazzT356934 Allow a user to perform global blocks on accounts using Special:GlobalBlock
 OpenNoneT356935 The 'globalblocks' API should support listing global blocks for accounts
 ResolvedDreamy_JazzT356936 Update GlobalBlocking services to support global block on accounts
 ResolvedDreamy_JazzT358150 Update the GlobalBlockLocalStatusLookup and GlobalBlockLocalStatusManager services to support blocking accounts
 ResolvedDreamy_JazzT358157 Update the GlobalBlockManager service to support global blocks on accounts
 ResolvedDreamy_JazzT358155 Update GlobalBlockLookup service to support global blocks on accounts
 ResolvedDreamy_JazzT356876 Add a column to store central ID in globalblocks and global_block_whitelist tables
 Resolved MarosteguiT356987 Add gb_target_central_id to the globalblocks table on the centralauth DB
 Resolved MarosteguiT356988 Add gbw_target_central_id to global_block_whitelist table on WMF wikis
 ResolvedDreamy_JazzT356922 Deprecate unnecessary GlobalBlocking hooks
 ResolvedDreamy_JazzT359091 Create GlobalBlockLocalStatusManager service
 ResolvedDreamy_JazzT358865 Use non-legacy log parameters for log entries for global blocking and unblocking
 ResolvedDreamy_JazzT358725 Update the GlobalBlockingLinkBuilder service for global account blocks
 ResolvedDreamy_JazzT356923 Create a configuration value to control whether global account blocks are enabled
 ResolvedDreamy_JazzT356925 Update or duplicate GlobalBlocking messages to allow staged deployment of blocking accounts
 ResolvedDreamy_JazzT357385 Refactor the GlobalBlocking utility class into services
 ResolvedDreamy_JazzT357399 Create GlobalBlockingConnectionProvider
 ResolvedDreamy_JazzT357443 Create GlobalBlockingBlockPurger service
 ResolvedDreamy_JazzT357506 Create GlobalBlockLocalStatusLookup service
 ResolvedDreamy_JazzT357675 Create GlobalBlockLookup service
 ResolvedDreamy_JazzT357925 Create the GlobalBlockManager service
 ResolvedTchandersT360516 Periodically remove orphaned global_block_whitelist entries
 ResolvedDreamy_JazzT360621 Test and make improvements to the fixGlobalBlockWhitelist.php script

Event Timeline

Tchanders created this task.Jan 18 2024, 6:46 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 18 2024, 6:46 AM
Tchanders added a comment.Jan 18 2024, 6:47 AM

One way could be to apply a GlobalBlock to the IP address used when a temp account is locked.

@Dreamy_Jazz Thanks for this idea.

JJMC89 added a project: MediaWiki-extensions-CentralAuth.Jan 18 2024, 6:49 AM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJan 18 2024, 6:49 AM
Tchanders added a comment.Jan 18 2024, 6:53 AM

If we think of temp accounts as being like fully registered accounts, then it makes sense that globally locking should work.

If we think of temp accounts as being like IP users, then global locks don't currently work for IP users (the concept makes no sense) so are we losing anything by them not working for temp users? In other words:

  • If a temp user does something that would warrant a global lock, what would we do in the equivalent situation if an IP user did that same thing now?
  • Could we still take that same action for the temp user?
TheresNoTime added a project: Stewards-and-global-tools.Jan 18 2024, 7:20 AM
Bugreporter added a parent task: T326937: Prepare CentralAuth extension for IP Masking.Jan 18 2024, 7:27 AM
Bugreporter subscribed.

This may be a duplicate of T19929: CentralAuth account locks should trigger global autoblocks.

Bugreporter added a comment.Jan 18 2024, 7:31 AM

One way could be to apply a GlobalBlock to the IP address used when a temp account is locked.

See also: T340275: Allow GlobalBlocking to block temporary accounts

Tchanders added a comment.Jan 18 2024, 1:25 PM
In T355286#9467905, @Bugreporter wrote:

This may be a duplicate of T19929: CentralAuth account locks should trigger global autoblocks.

Thanks. We could keep them separate for now in case we go in a different direction or come up with additional measures for temporary accounts - but they may end up being duplicates if not.

AntiCompositeNumber subscribed.Jan 18 2024, 11:52 PM
Tgr subscribed.Jan 19 2024, 1:14 AM

I think we should generally get rid of global locking and extend GlobalBlocking to non-anonymous users instead (T17294: Allow blocking of global accounts). It's on my todo list to see if the WIP patch on that task can be fixed up with limited effort.

Xaosflux subscribed.Jan 19 2024, 1:19 AM
In T355286#9471508, @Tgr wrote:

I think we should generally get rid of global locking and extend GlobalBlocking to non-anonymous users instead (T17294: Allow blocking of global accounts). It's on my todo list to see if the WIP patch on that task can be fixed up with limited effort.

In standard practices perhaps, though locking is still relevant for scenarios such as account compromises, deceased users, etc.

Vermont subscribed.Jan 19 2024, 1:22 AM

+1 to Xaosflux. Global locks are a necessary tool, though global blocks should also be an option.

Bugreporter added a comment.EditedJan 19 2024, 1:25 AM
In T355286#9471514, @Xaosflux wrote:
In T355286#9471508, @Tgr wrote:

I think we should generally get rid of global locking and extend GlobalBlocking to non-anonymous users instead (T17294: Allow blocking of global accounts). It's on my todo list to see if the WIP patch on that task can be fixed up with limited effort.

In standard practices perhaps, though locking is still relevant for scenarios such as account compromises, deceased users, etc.

In this case Tgr propose to replace it with a variant of T222281: Add a way to prevent user from log in and disable a users session when blocking. Note if block-disable-login is available, in SUL wikis we need to prevent it be used locally, i.e. such option may only be enablable with a global block, not a local one, since it does not make sense if we lock out a user in wiki A but not wiki B.

Vermont added a comment.Jan 19 2024, 1:33 AM
In T355286#9471519, @Bugreporter wrote:
In T355286#9471514, @Xaosflux wrote:
In T355286#9471508, @Tgr wrote:

I think we should generally get rid of global locking and extend GlobalBlocking to non-anonymous users instead (T17294: Allow blocking of global accounts). It's on my todo list to see if the WIP patch on that task can be fixed up with limited effort.

In standard practices perhaps, though locking is still relevant for scenarios such as account compromises, deceased users, etc.

In this case Tgr propose to replace it with a variant of T222281: Add a way to prevent user from log in and disable a users session when blocking. Note if block-disable-login is available, in SUL wikis we need to prevent it be used locally, i.e. such option may only be enablable with a global block, not a local one, since it does not make sense if we lock out a user in wiki A but not wiki B.

From what I understand of that implementation, it would not work. One of the main reasons we (stewards) want global blocking is because it would optimally allow individual projects to unblock a user while preventing editing on all other projects, and would not log them out. A global lock is a different tool for a different purpose and should not be replaced.

Bugreporter added a comment.Jan 19 2024, 1:36 AM

Note only Tgr propose to replace global lock with a "disable session and disable login" option of global block. I do not oppose keeping global lock feature as-is.

Tgr added a comment.Jan 19 2024, 3:26 AM

People clearly want global locking to work like global blocking (e.g. T333244: Warn and confirm for self global locks, T19929: CentralAuth account locks should trigger global autoblocks). It doesn't make sense to maintain two parallel blocking infrastructures, especially when one of them doesn't integrate with MediaWiki's blocking system at all. Especially for something highly sensitive such as preventing account access (which the block system can also do, it's just not used on public Wikimedia wikis). The potential for conflict between local and global blocks was a problem, but the multiblocks migration resolves that, so we can just axe global locks and have GlobalBlocking (and normal blocking for non-SUL wikis, if there is any interest in that) take over the functionality.

Bugreporter added a comment.Jan 19 2024, 3:41 AM

Note: Since T17272/326e4d86c4d7, core MediaWiki (not just CentralAuth) has a user-is-locked concept, and is checked in BotPassword (T194605), though it seems no core MediaWiki feature is setting it.

Vermont added a comment.Jan 19 2024, 4:10 AM
In T355286#9471605, @Tgr wrote:

People clearly want global locking to work like global blocking (e.g. T333244: Warn and confirm for self global locks, T19929: CentralAuth account locks should trigger global autoblocks). It doesn't make sense to maintain two parallel blocking infrastructures, especially when one of them doesn't integrate with MediaWiki's blocking system at all. Especially for something highly sensitive such as preventing account access (which the block system can also do, it's just not used on public Wikimedia wikis). The potential for conflict between local and global blocks was a problem, but the multiblocks migration resolves that, so we can just axe global locks and have GlobalBlocking (and normal blocking for non-SUL wikis, if there is any interest in that) take over the functionality.

If it will be possible to configure a global block of an account to do exactly what a global lock does now, then I wouldn't have objections. It would need to log the user out on all projects, prevent log-in, and prevent local projects from unblocking the user.

For me, the main benefit of being able to globally block accounts is that individual projects can (I assume) unblock/exempt that user locally. The "lock" button in these future global block settings would also need to prevent that.

Tgr added a comment.Jan 19 2024, 4:55 AM

@Vermont I think that shouldn't be problematic. That said, being able to globally block registered users would be useful for the temporary account migration (because locks don't really work for temp users) and turning account locking into a block isn't directly relevant, so that's probably something for the longer term as preparing CentralAuth for temp users and for third-party cookie deprecation are much more urgent.

For now, do you agree T17294: Allow blocking of global accounts would cover this task (if it extends to temp users)?

Bugreporter mentioned this in T355385: Allow marking global blocks not disablable by local wiki.Jan 19 2024, 5:55 AM
AntiCompositeNumber added a comment.Jan 19 2024, 4:56 PM

Either T17294: Allow blocking of global accounts or T19929: CentralAuth account locks should trigger global autoblocks would be sufficient. Global blocks for accounts would be more useful in the long run though.

Tchanders updated the task description. (Show Details)Feb 5 2024, 11:18 AM
pmiazga moved this task from Inbox, needs triage to Soon on the MediaWiki-Platform-Team board.Feb 5 2024, 4:11 PM
DerHexer subscribed.Feb 7 2024, 9:20 PM
Tgr added a comment.Feb 19 2024, 8:06 PM

AHT is working on T17294: Allow blocking of global accounts so I think we can decline this (and T19929: CentralAuth account locks should trigger global autoblocks)?

Dreamy_Jazz added a comment.EditedFeb 19 2024, 8:33 PM
In T355286#9556161, @Tgr wrote:

AHT is working on T17294: Allow blocking of global accounts so I think we can decline this (and T19929: CentralAuth account locks should trigger global autoblocks)?

(Just to clarify it's TSP which is Trust and Safety Product Team after the merger).

Dreamy_Jazz added a comment.EditedFeb 19 2024, 10:50 PM
In T355286#9556161, @Tgr wrote:

AHT is working on T17294: Allow blocking of global accounts so I think we can decline this (and T19929: CentralAuth account locks should trigger global autoblocks)?

We should probably convert this task into allowing autoblocks for global blocks on accounts instead of declining, as T17294: Allow blocking of global accounts does not describe creating autoblocks for global blocks.

I hesitate support closing T19929: CentralAuth account locks should trigger global autoblocks because I wouldn't want to close that until global blocks can be made which have the same features as a lock (i.e. logging the user out immediately, preventing login, and not allowing local disabling). At that point I would be comfortable declining it as part of a broader moving locking to become global blocks effort.

Implementing the feature parity, especially logging out immediately and not allowing the user to log back in, isn't something that would be that would be useful for temporary accounts blocking (as you can't log into an existing temporary account as it has no password and logging the temporary account out when it is a major reason that global blocks are being used instead of locking for temporary accounts).

Disallowing local disables of the block may be something that is useful, but considering that the status quo for IPs is allowing individual projects to locally disable the blocks then I question how useful this would be for temporary accounts (considering that we treat them like IPs in some ways).

Dreamy_Jazz renamed this task from Globally locking a temporary account should prevent further account creations to Globally blocking a temporary account should prevent further account creations.Feb 19 2024, 10:59 PM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz added a subtask: T17294: Allow blocking of global accounts.
Dreamy_Jazz edited parent tasks, added: T326816: Update features for IP Masking; removed: T326937: Prepare CentralAuth extension for IP Masking.
Tchanders mentioned this in T17294: Allow blocking of global accounts.Feb 22 2024, 4:02 PM
Johannnes89 subscribed.Feb 27 2024, 10:59 AM
Tchanders renamed this task from Globally blocking a temporary account should prevent further account creations to [Epic] Globally blocking a temporary account should prevent further account creations.Mar 1 2024, 11:04 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL