Page MenuHomePhabricator
Create Task
Maniphest T409714

Update UserGroupAssignmentService to check restricted groups
Closed, ResolvedPublic
Actions

Description

Background

RestrictedUserGroupChecker was introduced in T407886: Create a service for validating whether a user can be added to a restricted group, along with the RestrictedGroupsconfig, but neither are used yet.

UserGroupAssignmentService should be updated to check this service when checking which groups a performer can change for a given target.

This will allow groups to be configured using the RestrictedGroups config.

Technical details

UserGroupAssignmentService::computeChangeableGroups should check via RestrictedUserGroupChecker whether a particular performer may add or remove a group, before deciding whether or not it is changeable.

Eventually this will replace running the SpecialUserRightsChangeableGroups hook, but that will be done in a separate task.

Note that the hook provides a message with each restricted group, to explain why a group cannot be added. It should also be possible to display a message if the group is determined by RestrictedUserGroupChecker to be restricted.

Acceptance criteria
  • It would be possible to re-configure a restricted group via $wgRestrictedGroups instead of SpecialUserRightsChangeableGroupsHook, and have it behave the same as if it were configured via the hook

(Don't actually reconfigure the group in this task.)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
UserGroupAssignmentService: Check for restricted groupsmediawiki/coreREL1_45+206 -6
UserGroupAssignmentService: Check for restricted groupsmediawiki/coremaster+206 -6
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tchanders created this task.Nov 10 2025, 11:29 AM
Tchanders edited projects, added Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)); removed Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)).
Tchanders mentioned this in T409717: Configure temporary-account-viewer group to use RestrictedGroups config.Nov 10 2025, 11:43 AM
Tchanders edited parent tasks, added: T409718: Remove $wgCheckUserGroupRequirements and related code; removed: T406544: Create a way to technically enforce policies for restricted groups.Nov 10 2025, 11:48 AM
Tchanders edited parent tasks, added: T409717: Configure temporary-account-viewer group to use RestrictedGroups config; removed: T409718: Remove $wgCheckUserGroupRequirements and related code.
A_smart_kitten subscribed.Nov 10 2025, 11:51 AM
Tchanders moved this task from Backlog to Ready on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Nov 10 2025, 11:56 AM
Tchanders claimed this task.Nov 10 2025, 12:12 PM
Tchanders moved this task from Ready to In progress on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.
gerritbot added a comment.Nov 10 2025, 2:58 PM

Change #1203460 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/core@master] WIP UserGroupAssignmentService: Check for restricted groups

https://gerrit.wikimedia.org/r/1203460

gerritbot added a project: Patch-For-Review.Nov 10 2025, 2:58 PM
Tchanders added a comment.Nov 11 2025, 11:13 AM

What to do about the message shown when the conditions are not met?

Status quo

Target doesn't meet criteria
image.png (511×771 px, 44 KB)
Target doesn't meet criteria but performer is exempted
image.png (561×771 px, 43 KB)
Target meets criteria (no indication that group is restricted)
image.png (545×764 px, 39 KB)

Questions for the new system

We can consider these more fully in a separate task

  • Should we allow showing different messages depending on whether the performer/target meet requirements?
  • Should we actually show which conditions weren't met?
  • Should we keep it simple and allow defining just one message per group, which could e.g. link to policies?
  • Should we show these messages even if all conditions are met - would this be useful information or noise?

For this task

When to show the message: Let's keep the status quo for now - only showing it when the requirements are not met - but consider whether we should always show it, while we're considering everything else about the messaging.

Whether to allow configuring the message: I'm tempted not to add messages to the RestrictedGroups configuration right now since it's not clear what we need (one message, several messages?). Instead we could check for the existence of a message defined for a particular group, and show a default message otherwise.

Tchanders moved this task from In progress to Needs review on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Nov 11 2025, 5:50 PM
Tchanders mentioned this in T410076: Allow technically enforcing policies for restricted global groups.Nov 13 2025, 6:43 PM
gerritbot added a comment.Nov 14 2025, 8:41 AM

Change #1203460 merged by jenkins-bot:

[mediawiki/core@master] UserGroupAssignmentService: Check for restricted groups

https://gerrit.wikimedia.org/r/1203460

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.3; 2025-11-19).Nov 14 2025, 9:00 AM
Maintenance_bot removed a project: Patch-For-Review.Nov 14 2025, 9:30 AM
Tchanders moved this task from Needs review to Needs QA on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Nov 14 2025, 2:05 PM
Tchanders mentioned this in T117884: Convert Special:UserRights to HTMLForm.Nov 17 2025, 9:06 AM
gerritbot added a comment.Nov 27 2025, 5:24 PM

Change #1212197 had a related patch set uploaded (by Reedy; author: Tchanders):

[mediawiki/core@REL1_45] UserGroupAssignmentService: Check for restricted groups

https://gerrit.wikimedia.org/r/1212197

gerritbot added a project: Patch-For-Review.Nov 27 2025, 5:24 PM
gerritbot added a comment.Nov 27 2025, 5:49 PM

Change #1212197 abandoned by Reedy:

[mediawiki/core@REL1_45] UserGroupAssignmentService: Check for restricted groups

https://gerrit.wikimedia.org/r/1212197

Maintenance_bot removed a project: Patch-For-Review.Nov 27 2025, 6:30 PM
dom_walden moved this task from Needs QA to Done on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Nov 28 2025, 1:38 PM
dom_walden subscribed.

I tested different groups with different combinations of memberConditions, updaterConditions and canBeIgnored being true or false.

If the performer has the ignore-restricted-groups rights, they can assign users to groups with canBeIgnored = true regardless of whether memberConditions or updaterConditions has been met. They cannot assign groups that have canBeIgnored = false unless both memberConditions and updaterConditions have been met.

If the performer does not have the ignore-restricted-groups rights, they can only assign groups when both memberConditions and updaterConditions have been met.

If a user already is in a group, I can remove them from the group regardless of whether memberConditions or updaterConditions have been met, whether canBeIgnored is true or false and whether I have the ignore-restricted-groups right. In this case, there is an * next to the groups I would not normally be allowed to add users to.

I tested this on Special:UserRights and via the action=userrights API.

I briefly tested the UI in different skins and languages. I found T411260 (which may be expected behaviour) and T411261.

Tchanders closed this task as Resolved.Dec 5 2025, 4:04 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits