Page MenuHomePhabricator

Prevent accounts to be globally hidden or oversighted if they're not about to be globally locked first (or already are).
Open, LowPublic

Description

The current CentralAuth form allows you to globally hid or oversight an account without setting the global lock option first.

It is my understanding that global hidding and global oversighting is a complement to global locking; as it makes no sense to globally oversight or hid an account without globally locking it first so it can continue editting.

Please prevent selecting the 'hidding' options if you don't select first the 'lock' option.

Thanks.


Version: unspecified
Severity: normal

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 1:34 AM
bzimport set Reference to bz45094.
bzimport added a subscriber: Unknown Object (MLST).

I would prefer to just add a javascript confirm dialog in this situation.

Javascript would be good, although checking that the user is locked on when doing the hide should be pretty easy also.

vvv added a comment.Feb 20 2013, 1:19 AM

Note that at least when I wrote it, oversighted users actually had stronger restrictions on them, like, they were not allowed to create accounts on new wikis because they'd appear in logs.

MarcoAurelio renamed this task from CentralAuth: Prevent accounts to be globally hidden or oversighted if they're not about to be globally locked first (or already are). to Prevent accounts to be globally hidden or oversighted if they're not about to be globally locked first (or already are)..Aug 11 2015, 11:37 AM
MarcoAurelio raised the priority of this task from Medium to Needs Triage.
MarcoAurelio set Security to None.
MarcoAurelio removed a subscriber: wikibugs-l-list.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 11 2015, 11:37 AM
Teles added a subscriber: Teles.Sep 11 2015, 7:35 PM

I think we don't need this: If you hide or oversight a account, this account gets blocked at all local projects. This is an advantage: Every time, the user logs in, autoblock gets activated, so he have problems to create new accounts. But if you lock the account he can't log in => no autoblock.

Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptDec 9 2015, 8:49 AM

I think we don't need this: If you hide or oversight a account, this account gets blocked at all local projects.

That's not how it works. Global account hidding just removes the account from Special:GlobalUsers and maybe users without the appropriate rights can't access Special:CentralAuth for that user either. When we globally oversight an account, CentralAuth goes wiki-by-wiki where the account exists and blocks the user with with nocreate, noemail, nousertalk, hideuser. Now, what would be the purpose on having an unlocked account but not visible in Special:GlobalUsers? or even worse, an unlocked account but globally oversighted? I've always thought "hidding" options were a complement for a lock. Best regards.

Restricted Application added a subscriber: JEumerus. · View Herald TranscriptFeb 16 2016, 5:29 PM
MarcoAurelio triaged this task as Low priority.Feb 16 2016, 5:32 PM
Ajraddatz added a subscriber: Ajraddatz.

I think we don't need this: If you hide or oversight a account, this account gets blocked at all local projects.

That's not how it works. Global account hidding just removes the account from Special:GlobalUsers and maybe users without the appropriate rights can't access Special:CentralAuth for that user either. When we globally oversight an account, CentralAuth goes wiki-by-wiki where the account exists and blocks the user with with nocreate, noemail, nousertalk, hideuser. Now, what would be the purpose on having an unlocked account but not visible in Special:GlobalUsers? or even worse, an unlocked account but globally oversighted? I've always thought "hidding" options were a complement for a lock. Best regards.

I just tested this today looking for an unrelated bug, and surprisingly that is exactly how it works. I have also opened a bug for using a similar system to globally block accounts: [[ T133583 ]]

Change 285354 had a related patch set uploaded (by Glaisher):
Prevent global accounts from being hidden/suppressed if the account is not locked

https://gerrit.wikimedia.org/r/285354

Change 285354 abandoned by Thiemo Kreuz (WMDE):
Prevent global accounts from being hidden/suppressed if the account is not locked

Reason:
This patch was disputed and not updated in 4 years. The code this patch touches changed a lot in the meantime. It's most probably easier to start a new patch. This one here is still linked from the Phabricator ticket, and can still be used for inspiration, if needed. Or please feel free to reopen this patch in case you want to continue working on it.

https://gerrit.wikimedia.org/r/285354