Allow technically enforcing policies for restricted global groups
Open, Needs TriagePublic
Actions

Description

Background

Since T409714: Update UserGroupAssignmentService to check restricted groups, it is possible to configure a group such that its members must meet a set of conditions, and users who are adding members must meet certain conditions. This currently works only for local groups.

We need to make this work for global groups too. This should be easier thanks to work already done to share logic between the special pages (T406003) and services (T405575).

How it works for local groups

SpecialUserRights asks UserGroupAssignmentService for changeable groups
UserGroupAssignmentService asks UserGroupManager for addable/removeable groups
UserGroupAssignmentService asks RestrictedUserGroupChecker for restricted groups
RestrictedUserGroupChecker calculates this, using UserRequirementsConditionChecker

How this could work for global groups

SpecialGlobalGroupMembership asks GlobalGroupAssignmentService for changeable groups
GlobalGroupAssignmentService calculates addable/removable/automatic groups
New functionality: GlobalGroupAssignmentService could ask RestrictedUserGroupChecker for restricted groups
- If using the same config, we would need to disallow global and local groups having the same name
- Or we could use a different config, $wgGlobalRestrictedGroups, and have a local and global version of the RestrictedUserGroupChecker
RestrictedUserGroupChecker would calculate this, using UserRequirementsConditionChecker

This means the user would need to be a local user rather than a CentralAuthUser, since UserRequirementsConditionChecker works with local users. This seems OK though, since (1) the use-cases we currently know about involve checking 2FA on the local wiki, and (2) where global conditions need to be met (e.g. global editcount), CentralAuth would add these via a hook and check them against the central user.

Acceptance criteria

It is possible to configure a restricted global group, similarly to how a restricted local group would be configured.

Related Objects
Search...

Status	Assigned	Task
		Restricted Task
Open	None	T150898 Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis
		Restricted Task
Resolved	mszwarc	T391699 Add functionality to disallow bureaucrats who do not have 2fa enabled to grant certain privileged rights/groups
Resolved	mszwarc	T406544 Create a way to technically enforce policies for restricted groups
		Restricted Task
Open	None	T421852 Drop $wgOATHRequiredForGroups and related code
Open	None	T390386 Be able to force OATHAuth for certain global user groups
Open	None	T410076 Allow technically enforcing policies for restricted global groups
Open	None	T422119 Check restricted global groups when granting
Open	mszwarc	T422123 Support declaring conditions for global groups
Open	mszwarc	T422133 Make GlobalGroupAssignmentService check conditions for global groups
Resolved	mszwarc	T422138 Reflect the group restrictions on Special:GlobalUserRights
Open	mszwarc	T422605 Add 'scope' option in $wgRestrictedGroups
Open	mszwarc	T423074 Prevent members of a 2FA-enforced global group from disabling 2FA
Open	mszwarc	T423075 Display global group restrictions on Special:GlobalGroupPermissions

Event Timeline

Tchanders created this task.Nov 13 2025, 6:43 PM

JJMC89 added a project: MediaWiki-extensions-CentralAuth.Nov 13 2025, 7:34 PM

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptNov 13 2025, 7:34 PM

Johannnes89 subscribed.Nov 13 2025, 7:36 PM

Tchanders added a project: Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)).Nov 17 2025, 9:28 AM

Tchanders moved this task from Backlog to Ready on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.

JTweed-WMF edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.Nov 17 2025, 3:47 PM

Tchanders removed a project: Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)).Nov 26 2025, 2:07 PM

sgrabarczuk subscribed.Feb 10 2026, 2:21 PM

PixDeVl subscribed.Feb 10 2026, 6:49 PM

If using the same config, we would need to disallow global and local groups having the same name

This probably best avoided, quickly looking at Wikimedia Meta, this would at the least require the steward global or local group to be renamed, which may cause more headaches for updating things that rely on the group name (don't have an example on hand but I would not be shocked if some existing bots or tools check if a user is a steward by group name. Off Wikimedia, the Miraheze project also has at least 4 groups that have a local and global group of the same name. Making a slightly modifed version of the existing config seems to be the least bothersome option overall.

Pskyechology subscribed.Feb 13 2026, 11:59 PM

Bugreporter added a parent task: T390386: Be able to force OATHAuth for certain global user groups.Mon, Mar 30, 3:16 AM

mszwarc created subtask T422119: Check restricted global groups when granting.Thu, Apr 2, 9:42 AM

mszwarc added a project: Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))).Thu, Apr 2, 10:36 AM

mszwarc moved this task from Backlog to Epics in progress on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.Thu, Apr 2, 10:38 AM

Bugreporter mentioned this in T422123: Support declaring conditions for global groups.Thu, Apr 2, 10:46 AM

mszwarc added a subtask: T423074: Prevent members of a 2FA-enforced global group from disabling 2FA.Mon, Apr 13, 11:15 AM

mszwarc mentioned this in T423118: FY25-26 Q4: Phase 1 of 2FA enforcement in Wikimedia production.Mon, Apr 13, 11:34 AM

OKryva-WMF edited projects, added Product Safety and Integrity (Sprint Tulip (Apr 13 - May 1)); removed Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))).Mon, Apr 13, 3:43 PM

OKryva-WMF moved this task from Backlog to Epics in progress on the Product Safety and Integrity (Sprint Tulip (Apr 13 - May 1)) board.