Page MenuHomePhabricator
Create Task
Maniphest T385752

Using special globalcontributions is causing clients to attach to other projects triggering autocreated accounts (especially mlwiki)
Closed, DeclinedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

What happens?:

  • Your SUL account gets attached to mlwiki

What should have happened instead?:

  • Your SUL account should not get attached to mlwiki

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):
WMF production

Related Objects

Event Timeline

Xaosflux created this task.Feb 5 2025, 9:14 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 5 2025, 9:14 PM
Xaosflux added a project: CheckUser-GlobalContributions.Feb 5 2025, 9:16 PM
Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptFeb 5 2025, 9:16 PM
MolecularPilot subscribed.Feb 5 2025, 9:21 PM

Can reproduce. Also triggers the mlwiki welcoming bot.

Xaosflux added a comment.Feb 5 2025, 9:25 PM
In T385752#10527155, @MolecularPilot wrote:

Can reproduce. Also triggers the mlwiki welcoming bot.

That seems to be "triggered" subsequently due to the the local account creation.

A_smart_kitten removed a project: Tool-globalcontribution.Feb 5 2025, 9:45 PM
A_smart_kitten subscribed.
Johannnes89 subscribed.Feb 5 2025, 9:48 PM
Myrealnamm subscribed.Feb 6 2025, 2:12 AM

I've been testing with User:Myrealnamm-testingaccountsproblem, and the problem isn't just mlwiki :

  1. First, I opened m:Special:GlobalContributions/Jimbo_Wales. Nothing was attached to my Global Account.
  2. Second, I opened GlobalContribs page for my own account (Myrealnamm), and it attached my test account to the French Wikipedia. After closing Special:GlobalAccount and reopening it again it also attached to ruwiki.
  3. After searching GlobalContribs for Myrealnamm again it attached to ja.wikibooks.org.
  4. Then searching again, attached id.wiktionary.org.

So it attaches something every time I search on GlobalContribs. But only 1 account each time, not all the accounts.
Assuming the second step I searched twice by accident. If I searched once then it probably only attached one.

Myrealnamm added a comment.Feb 6 2025, 2:15 AM

I'm wondering why no accounts were attached when I searched for Jimbo Wales' global contributions. Probably because the server was a little slow, but I'm assuming that it would've.

Xaosflux renamed this task from Using special globalcontributions is causing clients to attach to mlwiki to Using special globalcontributions is causing clients to attach to unrelated projects triggering autocreated accounts (especially mlwiki).Feb 6 2025, 2:49 AM
Xaosflux renamed this task from Using special globalcontributions is causing clients to attach to unrelated projects triggering autocreated accounts (especially mlwiki) to Using special globalcontributions is causing clients to attach to other projects triggering autocreated accounts (especially mlwiki).Feb 6 2025, 2:53 AM

I just tried again with yet another test account, got mlwiki; after another name ended up getting jawikibooks as well, then got ptwiki when querying an account that was created on eswiki. No idea why mlwiki is so prevalent in tests.

Tgr added a project: MediaWiki-Platform-Team (Radar).Feb 10 2025, 1:19 PM
1AmNobody24 subscribed.Feb 11 2025, 12:46 PM
kostajh added subscribers: Tgr, kostajh.Feb 28 2025, 2:00 PM

Attaching your account to the local wiki happens due to permissions checks as part of querying all wikis via the API with the currently logged-in user. Maybe there's a way to avoid local account creation in this scenario (cc @Tgr) but I am not sure if this would be easy or desirable to do.

Dreamy_Jazz subscribed.EditedFeb 28 2025, 2:02 PM
In T385752#10591116, @kostajh wrote:

Attaching your account to the local wiki happens due to permissions checks as part of querying all wikis via the API with the currently logged-in user. Maybe there's a way to avoid local account creation in this scenario (cc @Tgr) but I am not sure if this would be easy or desirable to do.

We could query the CentralAuthUser to find all local accounts for the performer of the check, and then not query those wikis? However, we would still need to find a way to determine if the user has the rights needed on that wiki. Some assumptions could be made for users with global access, and for those without that global access we could probably assume they do not have access.

Tgr mentioned this in T387357: SUL3 signup results in autocreation on all edge login domains.Mar 1 2025, 7:49 PM
Tgr added a comment.Mar 1 2025, 7:51 PM
In T385752#10591116, @kostajh wrote:

Maybe there's a way to avoid local account creation in this scenario (cc @Tgr) but I am not sure if this would be easy or desirable to do.

This just came up in a different context: T387357#10593392 I'd go for simpler workarounds if they exist.

kostajh added a project: Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)).Mar 14 2025, 1:20 PM
Tchanders moved this task from Backlog to Triaged on the CheckUser-GlobalContributions board.Mar 14 2025, 1:33 PM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)); removed Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)).Apr 14 2025, 2:54 PM
Tchanders subscribed.Apr 30 2025, 12:00 PM

I believe this should be solved since https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1129319

Tchanders removed a project: Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)).Apr 30 2025, 12:01 PM
kostajh added a comment.Apr 30 2025, 12:03 PM
In T385752#10779984, @Tchanders wrote:

I believe this should be solved since https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1129319

I believe it's still an issue if someone inputs an IP address.

Tchanders added projects: Temporary accounts (Major pilot wiki deployment), Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)).Apr 30 2025, 12:05 PM

Alright, marked back as a major pilots blocker.

kostajh closed this task as Declined.Apr 30 2025, 2:16 PM

We discussed this in sprint planning today. I don't think there is anything we (TSP) can do about this. If we make an authenticated API request to another wiki to get results, the account will get attached. As such, I am going to decline this.

NicoScribe subscribed.Jun 18 2025, 6:44 AM
kostajh mentioned this in T405194: Userinfo API call creates account in all wikis where user is active.Sep 22 2025, 8:04 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits