Page MenuHomePhabricator
Create Task
Maniphest T401212

WMF wikis CentralAuth database tables have rows for invalid username "Nr: 135"
Open, Needs TriagePublic0.25 Estimated Story PointsPRODUCTION ERROR
Actions

Description

Summary

The MediaWiki-extensions-CentralAuth tables on WMF production contain rows for an invalid username "Nr: 135". This user exists on several wikis but cannot be viewed on the wikis because the username is considered invalid

Background

GlobalBlocking stack trace showing the issue
from /srv/mediawiki/php-1.46.0-wmf.5/extensions/CentralAuth/includes/User/CentralAuthUser.php(232)
#0 /srv/mediawiki/php-1.46.0-wmf.5/extensions/CentralAuth/includes/User/CentralAuthUser.php(246): MediaWiki\Extension\CentralAuth\User\CentralAuthUser::normalizeUsername(string)
#1 /srv/mediawiki/php-1.46.0-wmf.5/extensions/CentralAuth/includes/User/CentralAuthUser.php(211): MediaWiki\Extension\CentralAuth\User\CentralAuthUser::getInstanceByName(string)
#2 /srv/mediawiki/php-1.46.0-wmf.5/extensions/CentralAuth/includes/User/CentralAuthIdLookup.php(370): MediaWiki\Extension\CentralAuth\User\CentralAuthUser::getInstance(MediaWiki\User\User)
#3 /srv/mediawiki/php-1.46.0-wmf.5/extensions/CentralAuth/includes/User/CentralAuthIdLookup.php(342): MediaWiki\Extension\CentralAuth\User\CentralAuthIdLookup->getCentralUserInstance(MediaWiki\User\User, int)
#4 /srv/mediawiki/php-1.46.0-wmf.5/extensions/CentralAuth/includes/User/CentralAuthIdLookup.php(316): MediaWiki\Extension\CentralAuth\User\CentralAuthIdLookup->isAttachedOn(MediaWiki\User\User, string, int)
#5 /srv/mediawiki/php-1.46.0-wmf.5/extensions/GlobalBlocking/includes/Services/GlobalBlockLookup.php(219): MediaWiki\Extension\CentralAuth\User\CentralAuthIdLookup->centralIdFromLocalUser(MediaWiki\User\User, int)
#6 /srv/mediawiki/php-1.46.0-wmf.5/extensions/GlobalBlocking/includes/Services/GlobalBlockLookup.php(80): MediaWiki\Extension\GlobalBlocking\Services\GlobalBlockLookup->getUserBlockDetails(MediaWiki\User\User, null)
#7 /srv/mediawiki/php-1.46.0-wmf.5/extensions/GlobalBlocking/includes/GlobalBlockingHooks.php(78): MediaWiki\Extension\GlobalBlocking\Services\GlobalBlockLookup->getUserBlock(MediaWiki\User\User, null)
#8 /srv/mediawiki/php-1.46.0-wmf.5/includes/HookContainer/HookContainer.php(134): MediaWiki\Extension\GlobalBlocking\GlobalBlockingHooks->onGetUserBlock(MediaWiki\User\User, null, null)
#9 /srv/mediawiki/php-1.46.0-wmf.5/includes/HookContainer/HookRunner.php(2215): MediaWiki\HookContainer\HookContainer->run(string, array)
#10 /srv/mediawiki/php-1.46.0-wmf.5/includes/Block/BlockManager.php(213): MediaWiki\HookContainer\HookRunner->onGetUserBlock(MediaWiki\User\User, null, null)
#11 /srv/mediawiki/php-1.46.0-wmf.5/includes/User/User.php(1433): MediaWiki\Block\BlockManager->getBlock(MediaWiki\User\User, null, bool)
#12 /srv/mediawiki/php-1.46.0-wmf.5/includes/User/User.php(1461): MediaWiki\User\User->getBlock()
#13 /srv/mediawiki/php-1.46.0-wmf.5/includes/SpecialPage/ContributionsSpecialPage.php(589): MediaWiki\User\User->isHidden()
#14 /srv/mediawiki/php-1.46.0-wmf.5/includes/SpecialPage/ContributionsSpecialPage.php(433): MediaWiki\SpecialPage\ContributionsSpecialPage->getUserLink(MediaWiki\User\User)
#15 /srv/mediawiki/php-1.46.0-wmf.5/includes/SpecialPage/ContributionsSpecialPage.php(227): MediaWiki\SpecialPage\ContributionsSpecialPage->contributionsSub(MediaWiki\User\User, string)
#16 /srv/mediawiki/php-1.46.0-wmf.5/includes/SpecialPage/SpecialPage.php(711): MediaWiki\SpecialPage\ContributionsSpecialPage->execute(string)
#17 /srv/mediawiki/php-1.46.0-wmf.5/includes/SpecialPage/SpecialPageFactory.php(1744): MediaWiki\SpecialPage\SpecialPage->run(string)
#18 /srv/mediawiki/php-1.46.0-wmf.5/includes/Actions/ActionEntryPoint.php(499): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, MediaWiki\Context\RequestContext)
#19 /srv/mediawiki/php-1.46.0-wmf.5/includes/Actions/ActionEntryPoint.php(143): MediaWiki\Actions\ActionEntryPoint->performRequest()
#20 /srv/mediawiki/php-1.46.0-wmf.5/includes/MediaWikiEntryPoint.php(184): MediaWiki\Actions\ActionEntryPoint->execute()
#21 /srv/mediawiki/php-1.46.0-wmf.5/index.php(44): MediaWiki\MediaWikiEntryPoint->run()
#22 /srv/mediawiki/w/index.php(3): require(string)
#23 {main}

Impact

This prevents loading the contributions page, Special:CentralAuth, and many other pages for this user.

Acceptance criteria

  • It is possible to load the contributions page of the user with the username "Nr: 135"

Related Objects
Search...

Event Timeline

Dreamy_Jazz created this task.Aug 5 2025, 3:09 PM
Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptAug 5 2025, 3:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Dreamy_Jazz moved this task from Backlog to Maintenance to triage on the Trust and Safety Product Sprint board.Aug 5 2025, 3:13 PM
Dreamy_Jazz moved this task from Inbox to Engineering on the Trust and Safety Product Team board.Aug 6 2025, 8:20 AM
Dreamy_Jazz set the point value for this task to 0.25.Aug 11 2025, 2:18 PM
OKryva-WMF edited projects, added Product Safety and Integrity; removed Trust and Safety Product Sprint.Sep 26 2025, 12:55 PM
OKryva-WMF moved this task from Inbox to Next sprint on the Product Safety and Integrity board.Sep 26 2025, 12:57 PM
OKryva-WMF added a project: Essential-Work.Oct 3 2025, 2:20 PM
OKryva-WMF removed a project: Trust and Safety Product Team.Oct 10 2025, 9:52 AM
thcipriani moved this task from Untriaged to Oct-Dec 2025 on the Wikimedia-production-error board.Nov 13 2025, 4:28 PM
thcipriani moved this task from Oct-Dec 2025 to Jul–Sep 2025 on the Wikimedia-production-error board.Nov 13 2025, 4:40 PM
mszwarc edited projects, added Product Safety and Integrity (Essential Work Sprint (Dec 15th - Jan 9th)); removed Product Safety and Integrity.Nov 19 2025, 12:20 PM
OKryva-WMF moved this task from Backlog to Ready on the Product Safety and Integrity (Essential Work Sprint (Dec 15th - Jan 9th)) board.Dec 15 2025, 2:18 PM
Dreamy_Jazz added a comment.Dec 15 2025, 5:35 PM

Having looked into this a bit more, GlobalBlocking is causing a valid problem to be surfaced where the user Nr: 135 does exist in all of the enwiki.user, centralauth.globaluser, and centralauth.localuser.

Therefore, this is an issue with MediaWiki-extensions-CentralAuth

Dreamy_Jazz renamed this task from GlobalBlocking: Exception when invalid username viewed on Special:Contributions to CentralAuth has rows for invalid username "Nr: 135".Dec 15 2025, 5:39 PM
Dreamy_Jazz renamed this task from CentralAuth has rows for invalid username "Nr: 135" to WMF wikis CentralAuth database tables have rows for invalid username "Nr: 135".
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz edited projects, added MediaWiki-extensions-CentralAuth, MediaWiki-Platform-Team; removed Product Safety and Integrity (Essential Work Sprint (Dec 15th - Jan 9th)), Essential-Work.
Dreamy_Jazz added a comment.Dec 15 2025, 5:42 PM

Because our team does not own MediaWiki-extensions-CentralAuth, we do not have the decision making authority to decide what to do with the user "Nr: 135". It is likely that they will have to be renamed to fix the user, but I (or my team) cannot make that decision.

Therefore, I am removing the Product Safety and Integrity team tag and have updated the task to focus on fixing the specific invalid user. The checks in GlobalBlocking are correct because they check first if a local user ID exists for the username, which should prevent any issues surrounding fetching the central ID of a invalid username

Bugreporter subscribed.EditedDec 16 2025, 9:25 AM

See: T372880: User::isAllowed throws from CentralAuthUser when username contains colon, T377588: CentralAuthIdLookup throws from CentralAuthUser for username with a colon

Dreamy_Jazz added a comment.Dec 16 2025, 4:44 PM

Also seen for "H:harihar" on enwikisource: https://logstash.wikimedia.org/app/dashboards#/doc/logstash-*/logstash-deploy-1-7.0.0-1-2025.12.16?id=5xy8J5sBFM-LSVmL5vl2

Krinkle edited projects, added MediaWiki-Platform-Team (Radar), Product Safety and Integrity (Essential Work Sprint (Dec 15th - Jan 9th)), Essential-Work; removed MediaWiki-Platform-Team, MediaWiki-extensions-CentralAuth.EditedDec 16 2025, 7:15 PM
Krinkle added subscribers: matmarex, Tgr, Krinkle.

There are two ways this can happen.

  1. One way is to create the account on a wiki where the username is valid, and then try login (auto-create) on a wiki where that name is invalid due to a local namespace name or namespace alias. For example WP: a local alias for Wikipedia: on various wikis, but would not be reserved as such on Meta-Wiki or Commons.

Impact: This prevents login and autocreate, forcing the user to stay logged-out, but keeps integrity of local user account validity and does not pose issues with viewing contributions or assigning user rights, because the account never starts to exist, and thus doesn't need to be interacted with. This is similar to what happens with local AbuseFilter today (T354487), although that one is fixable by issueing a create+block instead of denying creation. We probalby can't do that with cases where the name is invalid rather than disallowed.

  1. Another way is to introduce a namespace alias or interwiki after such an account already exists. This could be a local namespace, or a global interwiki prefix. For example, an account may have been created in the past before the WP: alias was locally requested on that same wiki. Or in the case of an interwiki or interlanguage prefix, if the account predates the creation of a wiki in that language.

Impact: This means an account retroactively becomes invalid and creates problems with Special:Contributions and other UIs/APIs. This task is an example of this. The Nr: 135 account predates the creation of https://nr.wikipedia.org and the nr: interwiki prefix. We have the WikimediaMaintenance/renameInvalidUsernames.php script for this exact purpose. It looks like this hasn't been part of the Add a wiki process in practice.

In discussing this with the MediaWiki Platform Team today, @Tgr mentions that long-term we should disallow creation of accounts with : so that this issue doesn't happen again. We actually already did that in 2015 (T98757), with the introduction of wgInvalidUsernameCharacters which is used to deny use of : in new usernames. However, as @matmarex already noted in August 2024 at T372880#10093187, we have yet to do a mass rename (T160296).

We resolved T372880 for User::isAllowed by avoiding CentralAuthUser. The trace in the current task looks almost the same, but comes instead from CentralAuthIdLookup (via User::getBlock/extensions-GlobalBlocking). This is already reported and tracked at T377588.

In T401212#11461372, @Dreamy_Jazz wrote:

Because our team does not own MediaWiki-extensions-CentralAuth, we do not have the decision making authority to decide what to do with the user "Nr: 135". It is likely that they will have to be renamed to fix the user, but I (or my team) cannot make that decision.

Our decision is that such usernames are invalid and should be renamed. Please work with the stewards and this user to rename the account.

The medium-term task for MediaWiki Platform Team to supporting this in CentralAuth is T377588: CentralAuthIdLookup throws from CentralAuthUser for username with a colon.

The long-term task for renaming other accounts is T160296: Rename global users with invalid characters on their usernames.

Dreamy_Jazz removed a project: Product Safety and Integrity (Essential Work Sprint (Dec 15th - Jan 9th)).EditedDec 17 2025, 10:35 AM

I'm not sure Product Safety and Integrity has the bandwidth to be renaming specific accounts when we see them, given that we need to go and ask stewards to do this each time we see these accounts (instead of being able to do it ourselves).

Given the above, I would say that it is better to do this through T160296: Rename global users with invalid characters on their usernames because this issue would appear for any of the accounts that have invalid usernames and doing this in one batch would be better (especially for the stewards as a mass rename is quicker than one-by-one)

Dreamy_Jazz added a subtask: T160296: Rename global users with invalid characters on their usernames.Dec 17 2025, 10:39 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits