Page MenuHomePhabricator

Enable registration for everybody at
Closed, ResolvedPublic


This is just a compilation of the tasks that need to be solved in order to open registration to Wikimedia users in

If you need access urgently, check

Event Timeline

Qgil raised the priority of this task from to High.
Qgil updated the task description. (Show Details)
Qgil changed Security from none to None.
Qgil added a subscriber: Qgil.
Qgil renamed this task from Open registration at to Enable registration at 19 2014, 12:27 PM
Aklapper renamed this task from Enable registration at to Enable registration for everybody at 19 2014, 10:27 PM

We could create a Wikimedia Phabricator Early Tester Agreement and restrict access to Maniphest to those that have signed it. Once the blockers are resolved, we set back the usual permissions and we forget about this agreement. You can test this setup in now.

This would allow us to enable LDAP now, while we solve the blockers. Again, we need more real users to test and get familiar with Phabricator, and the process of enabling/disabling manually doesn't scale.

@Qgil: Sounds good to me but it isn't my call.

In T463#16, @Qgil wrote:

We could create a Wikimedia Phabricator Early Tester Agreement and restrict access

For the records, I've sent an email to Chase and csteipp as I'd like to understand possible security implications and if there's any issues if we technically allowed file uploads and delete them later, etc.

This comment has been deleted.

I really want to open registration for this production instance. We need real users before the Bugzilla migration, and every day that we delay this step we are introducing a higher risk of missing the kind of problems that only real users doing real work happen to find. In my opinion, this risk is more problematic than the risk of e.g. users uploading files or modifying the reference field.

I propose to enable the testers agreement with LDAP and SUL registration today (if SUL takes a bit longer that's fine; enabling LDAP is just a matter of ticking a checkbox). I will reply to Andre's email CCing Rob and MarkB, after that there is the Phabricator weekly meeting, and after that we have The Very Basics of Phabricator tech talk. After this session, I hope to have receivedenough feedback to make a decision.

@Qgil: there are some very real security implications if we allow file uploads without having T373 in place so that one probably needs to be a hard blocker.

Another possibility is to enable local uploads only (not in another domain) until T373 is fixed. We would be discouraging users to upload files, we would tell them that we will delete any file uploaded now, and if even after this someone uploads a file, it would be stored locally, without those security risks. Right now, user registration is a lot more important than file uploads.

@Qgil: allowing uploads without the separate domain is specifically the thing that causes security issues.

In T463#24, @Qgil wrote:

I hope to have received enough feedback to make a decision.

Indeed, and the decision is that there is no way to skip T373: get certificate for Only when that task is resolved we can open registration. When that happens, we will opoen registration without need of any testers agreement.

After all the fixes implemented yesterday (big thank you!), can we enable LDAP for everybody now?

Also, another week has passed, and we haven't heard from upstream in reference to T368: Upstream mediawiki oauth provider for Phabricator. Can we enable Wikimedia SUL locally?

I still have cleanup to do regarding the migration from fab. This is not ready. I will comment here when it is.

This comment was removed by chasemp.

Registration is now officially open for everybody. Big Thank You to @chasemp and everybody involved!