Page MenuHomePhabricator
Create Task
Maniphest T416541

Automatic global group membership is updated on unrelated local group changes
Open, Needs TriagePublic
Actions

Description

Automatic global group membership is sometimes updated on unrelated local group changes:

In T397224#11376026, @Johannnes89 wrote:

Another weird case: https://en.wikibooks.org/w/index.php?title=Special:Log&logid=5292619 caused https://en.wikibooks.org/wiki/Special:Log/gblrights even though the relevant local group (CU) wasn't even changed – and local admins shouldn't be able to do anything that affects global groups: All local/global group changes (CU/OS/GS) which trigger granting/removing GTAIV can only be done by stewards.

I suppose this is because the new global group was not initially populated with the users belonging to relevant local groups, so the change took effect the next time the local group membership was changed in any way?

I think we should fix it by populating the groups with a maintenance script. I am already working on one for the 'local-bot' group from T415588: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/1234540. Should we run the script for the 'global-temporary-account-viewer' group as well?

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add maintenance script to update automatic global group membershipmediawiki/extensions/CentralAuthmaster+89 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

matmarex created this task.Wed, Feb 4, 11:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptWed, Feb 4, 11:52 PM
Johannnes89 added a comment.Thu, Feb 5, 7:00 AM

Stewards didn’t get GTAIV because it’s redundant to our steward permissions. But it turned out most of us still got the permissions once our local groups changed in a wiki where we hold CU/OS permissions (even when the group change was unrelated to CU/OS like in the example above) or when temporarily granting CU/OS permissions to ourselves to perform actions on a wiki without local CU/OS.
As of today there are just four stewards left without GTAIV https://meta.wikimedia.org/wiki/Special:GlobalUsers?username=&group=steward&limit=100

Tchanders subscribed.Thu, Feb 5, 10:06 AM

I suppose this is because the new global group was not initially populated with the users belonging to relevant local groups, so the change took effect the next time the local group membership was changed in any way?

Yes, that would explain it.

I think we should fix it by populating the groups with a maintenance script. I am already working on one for the 'local-bot' group from T415588: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/1234540. Should we run the script for the 'global-temporary-account-viewer' group as well?

Thanks. Yes please, it makes sense to run it for 'global-temporary-account-viewer' too.

Tchanders mentioned this in T416542: Log entries for automatic global group membership changes are created on local wikis, not Meta.Thu, Feb 5, 10:34 AM
matmarex mentioned this in T415588: Add rate limit class for accounts that are in a local bot group on any wiki.Thu, Feb 5, 9:13 PM
NguoiDungKhongDinhDanh subscribed.Thu, Feb 5, 10:11 PM
gerritbot added a comment.Fri, Feb 6, 9:01 PM

Change #1234540 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/CentralAuth@master] Add maintenance script to update automatic global group membership

https://gerrit.wikimedia.org/r/1234540

gerritbot added a project: Patch-For-Review.Fri, Feb 6, 9:01 PM
matmarex claimed this task.Fri, Feb 6, 9:52 PM
matmarex added a parent task: T415588: Add rate limit class for accounts that are in a local bot group on any wiki.
matmarex moved this task from Inbox, needs triage to Q3 Kanban Board on the MediaWiki-Platform-Team board.
matmarex edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.
matmarex moved this task from Essential Work to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.
gerritbot added a comment.Sun, Feb 15, 1:20 PM

Change #1234540 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Add maintenance script to update automatic global group membership

https://gerrit.wikimedia.org/r/1234540

Maintenance_bot removed a project: Patch-For-Review.Sun, Feb 15, 1:30 PM
ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.16; 2026-02-17).Sun, Feb 15, 2:00 PM
matmarex added a comment.Tue, Feb 17, 4:19 AM

Next step: wait for train rollout, then run foreachwikiindblist sul CentralAuth:UpdateAutomaticGlobalGroupMembership --local-group=checkuser --local-group=suppress. This will take care of any outstanding memberships in global-temporary-account-viewer that weren't processed before, per this config for local groups: https://gerrit.wikimedia.org/g/operations/mediawiki-config/+/a13355b072b61df5be4e319f3fdaec6479fb3276/wmf-config/CommonSettings.php#4568 (I checked and all users in the global group global-sysop are already members of the new global group, so there's no need to handle that). Changes will be logged at https://meta.wikimedia.org/wiki/Special:Log/gblrights/Maintenance_script.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits