Page MenuHomePhabricator
Create Task
Maniphest T366858

AbuseFilter does not report user_group or user_name when CreateLocalAccount is performed
Open, Needs TriagePublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Implement an abuse filter to prevent creation of certain account name on Chinese Wikipedia (see AF194)
  • Use Special:CreateLocalAccount to create a user name that would be blocked by the abuse filter

What happens?:
The AbuseLog does not report the user performing the CreateLocalAccount action nor the group the user is in.

What should have happened instead?:
AbuseFilter would report user_group so the filter would allow admins or other permitted user to create a local account where it was a false positive and a rewrite of the filtering rules is not feasible..

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Compute user_* variables for forced autocreation via Special:CreateLocalAccountmediawiki/extensions/AbuseFiltermaster+133 -30
AuthManager: Include $performer in options for testUserForCreationmediawiki/coremaster+12 -5
Customize query in gerrit

Related Objects

Event Timeline

mys_721tx created this task.Jun 6 2024, 11:45 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJun 6 2024, 11:46 PM
Restricted Application added subscribers: Stang, Aklapper. · View Herald Transcript
mys_721tx added a project: Chinese-Sites.Jun 6 2024, 11:46 PM
Sidishandsome subscribed.Jun 7 2024, 5:46 AM
Tgr mentioned this in T316303: Check global rights during autocreation.Jun 9 2024, 10:42 PM
Shizhao moved this task from Backlog to Extensions/Skins on the Chinese-Sites board.Jun 11 2024, 3:05 AM
Tgr edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.Jun 17 2024, 3:02 PM
Tgr subscribed.

The amount of details reported seems pretty minimal: https://zh.wikipedia.org/wiki/Special:%E6%BB%A5%E7%94%A8%E6%97%A5%E5%BF%97/5138031

I think this is an issue with AbuseFilter, or the AbuseFilter-related hook handlers in CentralAuth, not CentralAuth itself. The code triggering the autocreation is in CentralAuthForcedLocalCreationService.

matej_suchanek subscribed.Jun 22 2024, 3:30 PM

T307827 mentions AF194, too. So I think it is the same problem.

Xiplus subscribed.Jul 17 2024, 12:07 AM
Hamishcn subscribed.Aug 9 2024, 10:11 PM
gerritbot added a comment.Wed, Oct 8, 4:10 PM

Change #1194680 had a related patch set uploaded (by Dragoniez; author: Dragoniez):

[mediawiki/core@master] AuthManager: Include $performer in options for testUserForCreation

https://gerrit.wikimedia.org/r/1194680

gerritbot added a project: Patch-For-Review.Wed, Oct 8, 4:10 PM

Change #1194682 had a related patch set uploaded (by Dragoniez; author: Dragoniez):

[mediawiki/extensions/AbuseFilter@master] [WIP] Compute user_* variables for forced autocreation via Special:CreateLocalAccount

https://gerrit.wikimedia.org/r/1194682

Dragoniez removed a project: Chinese-Sites.Thu, Oct 9, 8:29 AM
Dragoniez subscribed.

Removing Chinese-Sites because this (annoying) issue isn't limited to Chinese sites.

Dragoniez mentioned this in T307828: Separate Special:CreateLocalAccount from autocreateaccount in abuse filters.Sat, Oct 11, 6:00 PM
Dragoniez mentioned this in T307827: Missing abuse logs of Special:CreateLocalAccount actions.Mon, Oct 13, 3:49 PM
gerritbot added a comment.Wed, Oct 29, 8:30 PM

Change #1194680 merged by jenkins-bot:

[mediawiki/core@master] AuthManager: Include $performer in options for testUserForCreation

https://gerrit.wikimedia.org/r/1194680

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.1; 2025-11-05).Wed, Oct 29, 9:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits