Page MenuHomePhabricator
Create Task
Maniphest T356249

Consider adding $creator to postAuthentication hook
Closed, ResolvedPublic
Actions

Description

While working on the instrumentation of account conversions for temporary users T346327, we realized that we need access to the user that attempted the action rather than the user the authentication request is being made for. That is to determine whether the creator is a temporary account or not.

Based on this use case and other possible usages (an extension that allow super-admins to impersonate others, for example) it's worth considering to add a $creator parameter to the hook so it's commonly available

Details

SubjectRepoBranchLines +/-
AuthManager: add creator to AuthManagerLoginAuthenticateAudit callsmediawiki/coremaster+41 -17
Customize query in gerrit

Related Objects

Event Timeline

Sgs created this task.Jan 31 2024, 9:52 AM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJan 31 2024, 9:52 AM
Urbanecm_WMF subscribed.Jan 31 2024, 11:05 AM
Tgr subscribed.Feb 4 2024, 4:40 PM

postAuthentication is defined in an interface so it's very hard to change. What would be easier is to add the performer to AuthManagerLoginAuthenticateAudit (which is also an interface but has an open-ended extra-data array as one of its parameters). Do you want to submit a patch?

pmiazga moved this task from Inbox, needs triage to Radar on the MediaWiki-Platform-Team board.Feb 5 2024, 4:09 PM
pmiazga edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.
gerritbot added a comment.Feb 27 2024, 6:11 PM

Change 1006973 had a related patch set uploaded (by Sergio Gimeno; author: Sergio Gimeno):

[mediawiki/core@master] AuthManager: add creator to AuthManagerLoginAuthenticateAudit

https://gerrit.wikimedia.org/r/1006973

gerritbot added a project: Patch-For-Review.Feb 27 2024, 6:11 PM
Sgs claimed this task.Feb 27 2024, 6:18 PM
In T356249#9511828, @Tgr wrote:

postAuthentication is defined in an interface so it's very hard to change. What would be easier is to add the performer to AuthManagerLoginAuthenticateAudit (which is also an interface but has an open-ended extra-data array as one of its parameters). Do you want to submit a patch?

Thanks for the insight. Yes, I submitted a WIP patch where I only replaced AuthManager calls to the hook. I'm missing to review if there are any other usages around. Feedback welcome.

Sgs added a project: Growth-Team (Sprint 8 (Growth Team)).Mar 4 2024, 10:04 AM
Sgs moved this task from Incoming to Code Review on the Growth-Team (Sprint 8 (Growth Team)) board.
KStoller-WMF edited projects, added Growth-Team (Sprint 9 (Growth Team)); removed Growth-Team (Sprint 8 (Growth Team)).Mar 5 2024, 4:20 PM
Sgs moved this task from Incoming to Code Review on the Growth-Team (Sprint 9 (Growth Team)) board.Mar 5 2024, 4:27 PM
Urbanecm_WMF triaged this task as Medium priority.Mar 5 2024, 6:10 PM
gerritbot added a comment.Mar 6 2024, 10:33 PM

Change 1006973 merged by jenkins-bot:

[mediawiki/core@master] AuthManager: add creator to AuthManagerLoginAuthenticateAudit calls

https://gerrit.wikimedia.org/r/1006973

Maintenance_bot removed a project: Patch-For-Review.Mar 6 2024, 11:31 PM
ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.22; 2024-03-12).Mar 7 2024, 1:00 AM
Urbanecm_WMF closed this task as Resolved.Mar 7 2024, 10:37 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL