Page MenuHomePhabricator
Create Task
Maniphest T366858

AbuseFilter does not report user_group or user_name when CreateLocalAccount is performed
Open, Needs TriagePublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Implement an abuse filter to prevent creation of certain account name on Chinese Wikipedia (see AF194)
  • Use Special:CreateLocalAccount to create a user name that would be blocked by the abuse filter

What happens?:
The AbuseLog does not report the user performing the CreateLocalAccount action nor the group the user is in.

What should have happened instead?:
AbuseFilter would report user_group so the filter would allow admins or other permitted user to create a local account where it was a false positive and a rewrite of the filtering rules is not feasible..

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):

Related Objects

Event Timeline

mys_721tx created this task.Thu, Jun 6, 11:45 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptThu, Jun 6, 11:46 PM
Restricted Application added subscribers: Stang, Aklapper. · View Herald Transcript
mys_721tx added a project: Chinese-Sites.Thu, Jun 6, 11:46 PM
Sidishandsome subscribed.Fri, Jun 7, 5:46 AM
Tgr mentioned this in T316303: Check global rights during autocreation.Sun, Jun 9, 10:42 PM
Shizhao moved this task from Backlog to Extensions/Skins on the Chinese-Sites board.Tue, Jun 11, 3:05 AM
Tgr edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.Mon, Jun 17, 3:02 PM
Tgr subscribed.

The amount of details reported seems pretty minimal: https://zh.wikipedia.org/wiki/Special:%E6%BB%A5%E7%94%A8%E6%97%A5%E5%BF%97/5138031

I think this is an issue with AbuseFilter, or the AbuseFilter-related hook handlers in CentralAuth, not CentralAuth itself. The code triggering the autocreation is in CentralAuthForcedLocalCreationService.

matej_suchanek subscribed.Sat, Jun 22, 3:30 PM

T307827 mentions AF194, too. So I think it is the same problem.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL