Page MenuHomePhabricator
Create Task
Maniphest T380084

Temporary accounts can be assigned global groups through Special:GlobalUserRights
Closed, ResolvedPublic2 Estimated Story PointsBUG REPORT
Actions

Description

It appears that temporary accounts can be given global user groups through the Special:GlobalUserRights page. We disabled the ability for temporary accounts to be assigned local user groups in subtasks of T330816. However, it appears that this was not also done for Special:GlobalUserRights.

Example on the beta wikis is https://en.wikipedia.beta.wmflabs.org/w/index.php?title=Special:Log&logid=457007

image.png (173×966 px, 19 KB)

Steps to replicate the issue
  1. Have MediaWiki-extensions-CentralAuth installed
  2. Create a temporary account by making an edit to a page
  3. Log into a user with the steward group
  4. Go to Special:GlobalUserRights and enter the temporary account into the form

What happens:
You can assign global user groups to the temporary account

What should have happened instead:
You should not be able to assign user groups to the temporary account, in a similar way to Special:UserRights for local groups

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Prevent temporary accounts being given global groupsmediawiki/extensions/CentralAuthmaster+148 -14
Customize query in gerrit

Related Objects
Search...

Event Timeline

Dreamy_Jazz created this task.Nov 15 2024, 5:47 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptNov 15 2024, 5:47 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Dreamy_Jazz added a parent task: T326937: Prepare CentralAuth extension for IP Masking.Nov 15 2024, 5:47 PM
Dreamy_Jazz updated the task description. (Show Details)
larissagaulia moved this task from Inbox, needs triage to Not planned (Patches welcome!) on the MediaWiki-Platform-Team board.Nov 18 2024, 3:57 PM
Dreamy_Jazz edited projects, added Temporary accounts (Major pilot wiki deployment); removed Temporary accounts.Nov 20 2024, 3:25 PM
Tchanders added a project: Trust and Safety Product Sprint (Sprint Chimes (Dec. 9 - Jan. 17)).Dec 5 2024, 6:16 PM
Tchanders moved this task from Backlog to Planned on the Temporary accounts (Major pilot wiki deployment) board.
Dreamy_Jazz claimed this task.Dec 9 2024, 6:01 PM
Dreamy_Jazz set the point value for this task to 2.
Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Chimes (Dec. 9 - Jan. 17)) board.
gerritbot added a comment.Dec 11 2024, 1:29 PM

Change #1102310 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CentralAuth@master] [WIP] Prevent temporary accounts being given global groups

https://gerrit.wikimedia.org/r/1102310

gerritbot added a project: Patch-For-Review.Dec 11 2024, 1:29 PM
Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Chimes (Dec. 9 - Jan. 17)) board.Dec 11 2024, 2:23 PM
gerritbot added a comment.Dec 12 2024, 12:35 PM

Change #1102310 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Prevent temporary accounts being given global groups

https://gerrit.wikimedia.org/r/1102310

ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.8; 2024-12-17).Dec 12 2024, 1:00 PM
Maintenance_bot removed a project: Patch-For-Review.Dec 12 2024, 1:30 PM
Tchanders moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Chimes (Dec. 9 - Jan. 17)) board.Dec 16 2024, 11:19 AM
Djackson-ctr moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Chimes (Dec. 9 - Jan. 17)) board.Dec 17 2024, 3:22 AM
Djackson-ctr subscribed.

QA is completed... new code changes have been implemented (You cannot assign global user groups to temporary accounts).

Tchanders closed this task as Resolved.Dec 17 2024, 4:44 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits