Page MenuHomePhabricator
Create Task
Maniphest T422133

Make GlobalGroupAssignmentService check conditions for global groups
Closed, ResolvedPublic
Actions

Description

Similarly to core's UserGroupAssignmentService, the GlobalGroupAssignmentService should evaluate user requirements conditions when determining what groups can and cannot be assigned to the given user.

Since the conditions are evaluated against UserIdentity, the local identity of the target global user should be passed to the condition checker. This local identity should be from the current wiki.

This approach will enable checking conditions for global group assignments without the need to maintain a second set of condition handlers, operating on CentralAuthUsers. A side-effect of that scenario is that global group conditions might take into account local user properties (which are different for different wikis), but – in principle – we can't protect site admins from setting a non-sense configuration of their site, so this risk is probably acceptable. It's similar to possibility of setting logal group conditions, which only make sense for autopromotion (such as user's IP).

Acceptance criteria

  • Trying to add an ineligible user to a restricted global group fails.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
GlobalGroupAssignmentService: Support $wgRestrictedGroups conditionsmediawiki/extensions/CentralAuthmaster+121 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

mszwarc created this task.Apr 2 2026, 10:30 AM
mszwarc edited projects, added Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))); removed Product Safety and Integrity.Apr 2 2026, 10:36 AM
mszwarc moved this task from Backlog to Ready on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.
mszwarc claimed this task.Apr 2 2026, 10:38 AM
mszwarc moved this task from Ready to In progress on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.
mszwarc moved this task from In progress to Ready on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.Apr 7 2026, 9:58 AM
mszwarc moved this task from Ready to In progress on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.Apr 8 2026, 8:18 AM
gerritbot added a comment.Apr 9 2026, 8:13 AM

Change #1269336 had a related patch set uploaded (by Mszwarc; author: Mszwarc):

[mediawiki/extensions/CentralAuth@master] GlobalGroupAssignmentService: Support $wgRestrictedGroups conditions

https://gerrit.wikimedia.org/r/1269336

gerritbot added a project: Patch-For-Review.Apr 9 2026, 8:13 AM
mszwarc moved this task from In progress to Needs review on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.Apr 9 2026, 9:27 AM
OKryva-WMF edited projects, added Product Safety and Integrity (Sprint Tulip (Apr 13 - May 1)); removed Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))).Apr 13 2026, 3:44 PM
OKryva-WMF moved this task from Backlog to Needs review on the Product Safety and Integrity (Sprint Tulip (Apr 13 - May 1)) board.Apr 13 2026, 3:44 PM
gerritbot added a comment.Mon, Apr 20, 5:28 PM

Change #1269336 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] GlobalGroupAssignmentService: Support $wgRestrictedGroups conditions

https://gerrit.wikimedia.org/r/1269336

Maintenance_bot removed a project: Patch-For-Review.Mon, Apr 20, 5:30 PM
ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.26; 2026-04-28).Mon, Apr 20, 6:00 PM
mszwarc closed this task as Resolved.Tue, Apr 21, 8:46 AM
mszwarc moved this task from Needs review to Done on the Product Safety and Integrity (Sprint Tulip (Apr 13 - May 1)) board.
mszwarc updated the task description. (Show Details)
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits