Background

Several user groups, such as interface admins and check users, are required to have 2FA configured in order to use their rights. Currently, this is enforced by a custom code, handling the UserEffectiveGroups hook. Now, since T406544: Create a way to technically enforce policies for restricted groups, we have a generic way to specify group requirements, therefore we should port the legacy 2FA conditions to that new mechanism.

This task focuses solely on implementing features that are required to port existing behavior to the new architecture of group requirements. It does not cover situations like global groups, which are not supported by the current 2FA enforcement – they should be worked on separately.

Feature requirements

The new system should replicate the high-level goals of the current ad-hoc solution and address its major issues. The key features would be:

• Only allow to grant a 2FA-restricted group if the target user has 2FA
• Do not allow a user to remove their 2FA if they are in a 2FA-restricted group
• Rework the 2FA recovery process used by Wikimedia Trust & Safety not to involve removing 2FA from the affected user
• Keep the "disabled groups" mechanism
• Make it possible to configure that users who don't meet certain groups requirements are removed from these groups

Technical outline

This work will focus on extending the set of conditions supported for $wgRestrictedGroups to support checking for whether a user has 2FA enabled. Additionally, a new type of restriction will need to be introduced – one which is checked continuously (instead of only on granting).

$wgRestrictedGroups = [
	'groupName' => [
		// Already exist
		'memberConditions' => $condsArrayForMember,
		'updaterConditions' => $condsArrayForPerformer,
		// If set to true, this group allows for automatic demotion of ineligible users. If false, the group will at most be disabled.
		// The group won't get disabled or removed if it allows for bypassing conditions
		'demote' => $demote
	],
	// ...
];