Page MenuHomePhabricator
Create Task
Maniphest T406544

Create a way to technically enforce policies for restricted groups
Open, Needs TriagePublic
Actions

Description

Background

Some groups have requirements, e.g. that the group member must have 2FA, or a minimum edit count / account age, or have signed an agreement.

At the moment, some of these requirements are enforced by MediaWiki, and others are checked manually. Of those that are enforced, the enforcement is done ad hoc and in different ways. To enforce a new requirement for a new group, a software change must be made.

This task is for creating a general way to configure enforcement, so it is easier to understand which groups have which requirements, and to add a new group requirement.

This task is not for technically enforcing all group requirements. Instead, those that are currently enforced will be migrated to the new system, and whether to enforce others will be discussed and decided on a case-by-case basis.

Feature requirements

The new system should allow:

  • Defining restricted groups, where members must meet requirements
  • Restricting adding to a restricted group depending on attributes of the user to be added
  • Restricting adding, removing and updating expiry of a restricted group depending on attributes of the performing user
  • Exceptions, where a restricted group may be added without the user meeting requirements, by a particularly trusted user
  • Checking whether requirements are still met when the user tries to use rights conferred by a restricted group (note that this won't be possible for a group where users can be added without meeting requirements)
  • Enacting consequences if a restricted group's member no longer meets requirements

The same system should be used by local and global groups.

We will also consider:

  • How to enforce requirements for particular rights (as opposed to groups)
Technical outline

A new configuration will define which groups are restricted, and how:

// Restricted groups config
// - conditions are the same as $wgAutopromote
// - to add, target must meet memberConditions AND performer must meet updaterConditions
// - to remove or update expiry, performer must meet updaterConditions
// - if canBeIgnored, user with the 'ignore-restricted-groups' right can update the group without checking the conditions
// - if canBeIgnored, member's conditions are not checked again
// - if !canBeIgnored, check the conditions every time membership is checked
$wgRestrictedGroups = [
	'groupName' => [
		'memberConditions' => $condsArrayForMember,
		'updaterConditions' => $condsArrayForPerformer,
		'canBeIgnored' => $canBeIgnored,
	],
	...
];

// Restricted rights config
// - conditions are the same as $wgAutopromote
$wgRestrictedRights = [
	'groupName' => $condsArray,
	...
];

A new right, 'ignore-restricted-groups', will allow some users to ignore requirements, for some groups.

New services:

  • A service for validating restricted groups which will have public methods like canAddGroup( $group, $target, $performer ) and canUseGroup( $group, $user )
  • A service for checking that users meet conditions, refactored from UserGroupManager::recursiveCheckCondition and ::checkCondition, which is called by the group validator service: T406547
  • Potentially a rights validator service with canUseRight( $right, $user )

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 OpenNoneT150898 Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis
Restricted Task
 OpenNoneT391699 Add functionality to disallow bureaucrats who do not have 2fa enabled to grant certain privileged rights/groups
 OpenNoneT406544 Create a way to technically enforce policies for restricted groups
 ResolvedmszwarcT405575 Share logic between Special:UserRights and Special:GlobalGroupMembership
 ResolvedmszwarcT406003 Share the UI generation between Special:UserRights and Special:GlobalGroupMembership
 ResolvedTchandersT404436 Investigate implementing requirements for membership of local groups
 OpenTchandersT117884 Convert Special:UserRights to HTMLForm
 ResolvedmatmarexT123935 Use CheckboxMultiSelectWidget (when it exists) in HTMLMultiSelectField
 ResolvedmatmarexT117782 Implement CheckboxMultiselectWidget (and CheckboxMultiselectInputWidget)
 ResolvedHujiT153927 OOjs UI should allow disabling specific options of CheckboxMultiselectInputWidget
 ResolvedJayprakash12345T204411 Introduce HTMLGlobalUserTextField::class for global users
 ResolvedReedyT406547 Create service for checking conditions used by autopromote
 ResolvedmszwarcT407886 Create a service for validating whether a user can be added to a restricted group
 ResolvedmszwarcT407889 Update UserRequirementsConditionChecker to handle target users for UserGroupAssignmentService
 ResolvedmszwarcT408181 Update UserEditTracker to support users from remote wikis
 ResolvedmszwarcT408182 Update LocalUserRegistrationProvider to support users from remote wikis
 OpenNoneT352871 Factor user registration loading to LocalUserRegistrationProvider
 ResolvedmszwarcT408184 Replace AutopromoteCondition hook with a more general one, which supports non-performer users and remote users
 ResolvedReedyT409718 Remove $wgCheckUserGroupRequirements and related code
 ResolvedReedyT409717 Configure temporary-account-viewer group to use RestrictedGroups config
 ResolvedTchandersT409714 Update UserGroupAssignmentService to check restricted groups
 OpenNoneT410076 Allow technically enforcing policies for restricted global groups

Event Timeline

Tchanders created this task.Oct 7 2025, 6:10 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 7 2025, 6:10 AM
Tchanders moved this task from Priority backlog to Epics in progress on the Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)) board.Oct 7 2025, 6:10 AM
Tchanders added subtasks: T405575: Share logic between Special:UserRights and Special:GlobalGroupMembership, T404436: Investigate implementing requirements for membership of local groups.
Tchanders added a subtask: T117884: Convert Special:UserRights to HTMLForm.
Tchanders updated the task description. (Show Details)Oct 7 2025, 6:16 AM
Tchanders mentioned this in T406547: Create service for checking conditions used by autopromote.Oct 7 2025, 6:23 AM
Tchanders added a subtask: T406547: Create service for checking conditions used by autopromote.
Tchanders closed subtask T404436: Investigate implementing requirements for membership of local groups as Resolved.Oct 7 2025, 4:06 PM
Tchanders mentioned this in T404436: Investigate implementing requirements for membership of local groups.
OKryva-WMF edited projects, added Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)); removed Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)).Oct 17 2025, 1:46 PM
OKryva-WMF moved this task from Backlog to Epics in progress on the Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)) board.Oct 17 2025, 1:46 PM
Tchanders updated the task description. (Show Details)Oct 21 2025, 4:23 PM
Tchanders mentioned this in T407886: Create a service for validating whether a user can be added to a restricted group.Oct 21 2025, 5:45 PM
Tchanders added a subtask: T407886: Create a service for validating whether a user can be added to a restricted group.
mszwarc closed subtask T406547: Create service for checking conditions used by autopromote as Resolved.Oct 23 2025, 8:12 AM
mszwarc mentioned this in T352871: Factor user registration loading to LocalUserRegistrationProvider.Oct 24 2025, 8:37 AM
mszwarc closed subtask T405575: Share logic between Special:UserRights and Special:GlobalGroupMembership as Resolved.Oct 24 2025, 8:55 AM
mszwarc changed the status of subtask T407886: Create a service for validating whether a user can be added to a restricted group from Open to In Progress.Oct 30 2025, 9:21 AM
mszwarc closed subtask T407886: Create a service for validating whether a user can be added to a restricted group as Resolved.Nov 6 2025, 11:33 AM
Tchanders removed a subtask: T409714: Update UserGroupAssignmentService to check restricted groups.Nov 10 2025, 11:48 AM
Tchanders removed a subtask: T409717: Configure temporary-account-viewer group to use RestrictedGroups config.
Tchanders edited projects, added Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)); removed Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)).Nov 10 2025, 11:53 AM
Tchanders moved this task from Backlog to Epics in progress on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.
Johannnes89 subscribed.Nov 13 2025, 7:37 PM
Bugreporter added a parent task: T391699: Add functionality to disallow bureaucrats who do not have 2fa enabled to grant certain privileged rights/groups.Nov 27 2025, 11:46 AM
Reedy closed subtask T409718: Remove $wgCheckUserGroupRequirements and related code as Resolved.Nov 27 2025, 6:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits