Page MenuHomePhabricator
Create Task
Maniphest T212268

Make the abusefilter-blocker user not be a sysop
Open, Needs TriagePublic
Actions

Description

According to a code comment, the user returned by AbuseFilter::getFilterUser() is made a sysop so that "it doesn't look like an unprivileged account is blocking users". Given how precious small wiki communities are about their admin lists, as evidenced by comments on T209565, this may be the lesser of two evils.

Perhaps all users created by User::newSystemUser() could be in a special system user group, that would clear up any confusion about how it is that unprivileged users are able to make privileged actions. The new group would not need any rights assigned to it, since these users act through APIs that do not perform authorization.

In the meantime, note that it is safe to remove the sysop flag from the abusefilter-blocker user using Special:UserRights.

Details

SubjectRepoBranchLines +/-
Move the AbuseFilter user name to a constant, improve itmediawiki/extensions/AbuseFiltermaster+114 -39
Customize query in gerrit

Related Objects

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 19 2018, 12:21 AM
tstarling mentioned this in T209565: Dry run for normalizeThrottleParameters.php.Dec 19 2018, 12:24 AM
Ejs-80 subscribed.Dec 19 2018, 12:48 AM
Xiplus subscribed.Dec 19 2018, 1:38 AM
MarcoAurelio subscribed.Dec 19 2018, 7:06 AM

I think part of this confusion could be solved if we acted upon T160666. We
have several other system users such as MediaWiki default, Maintenance
script, MediaWiki message delivery, Redirect fixer, etc. whose name is one
for all wikis, which helps identifying the account via CentralAuth and
benefits from GlobalUserPage. I feel what we have here with
abusefilter-blocker is an exception. Also, it can cause broken logs if the
abusefilter-blocker string gets modified once it has logs aasigned to the
previous account name, etc. Thanks.

Jni subscribed.Dec 19 2018, 8:42 AM
Daimona added a comment.Dec 19 2018, 8:57 AM

Originally I didn't really agree with the rationale behind T160666, but now I think that it's actually worth going on with that. We would benefit from centralAuth, and it won't be possible for people to change the account name, or to use invalid characters inside the message, as it happened in kmwiki.
Another thing we need is some way to clearly identify system users, both backend (as discussed for instance here) and frontend, so that users don't get confused.

Daimona added a project: User-Daimona.Dec 19 2018, 8:58 AM
Daimona moved this task from Backlog to Next on the User-Daimona board.
Shizhao added a project: User-notice.Dec 20 2018, 11:53 AM
MisterSynergy subscribed.Dec 21 2018, 4:01 PM

Two impressions from the communities:

In both cases, there is concern about the abusefilter-blocker user having a (symbolic) sysop flag.

Daimona removed a project: User-notice.Dec 21 2018, 4:20 PM

Sincerely I cannot personally understand the concern, as I already said. However, we will do something to change the AbuseFilter user; from my side, I won't be able to do much these days, but I'll try to do something in 1-2 weeks or so. Removing User-notice because I already added it to T209565, together with some message samples.

Meno25 subscribed.Dec 26 2018, 6:23 AM
gerritbot subscribed.Dec 29 2018, 6:05 PM

Change 481549 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@master] Move the AbuseFilter user name to a global, improve it

https://gerrit.wikimedia.org/r/481549

gerritbot added a project: Patch-For-Review.Dec 29 2018, 6:05 PM
Daimona claimed this task.Dec 29 2018, 6:06 PM
Daimona moved this task from Next to Under review on the User-Daimona board.
alaa subscribed.Jan 1 2019, 9:44 PM
SatyamMishra subscribed.Jan 2 2019, 12:31 AM
Xaosflux subscribed.Jan 3 2019, 2:28 PM
Daimona added a comment.Jan 3 2019, 2:43 PM

See also T212720.

Vermont subscribed.Jan 3 2019, 3:05 PM
Vermont added a comment.Jan 3 2019, 3:12 PM

Another complaint about this account at https://meta.wikimedia.org/wiki/Talk:Steward_requests/Permissions#Strange_administrator_wikiquote:de:user:Missbrauchsfilter

Daimona added a comment.Jan 3 2019, 3:19 PM

@Adotchar Thanks for reporting. I wrote down a message for Tech/News in T209565#4852173 and it'll be announced on Jan 7th.

alaa added a comment.Jan 3 2019, 7:41 PM
In T212268#4852293, @Daimona wrote:

@Adotchar Thanks for reporting. I wrote down a message for Tech/News in T209565#4852173 and it'll be announced on Jan 7th.

I put announcement in arwiki about this issue 26 Dec 2018.

Jony subscribed.Jan 3 2019, 8:45 PM
Ninjastrikers subscribed.Jan 7 2019, 5:09 AM
Tgr subscribed.Jan 9 2019, 3:26 AM
In T212268#4833518, @Daimona wrote:

We would benefit from centralAuth

We wouldn't as it is now, newSystemUser creates non-attached local users. We should probably fix that, I don't think the global user page works for non-attached accounts, and that's very useful for system users, even if having a central account on its own isn't. (Granted, we could also just change GlobalUserPage to always show for system users.)

Daimona added a comment.Jan 9 2019, 11:13 AM

@Tgr If we want it to be the default, yes, it should be fixed in core. For AF, the user is attached on creation (see lines 723-727).
At any rate I think the change should be to attach system users, and not to make exceptions.

Mikemcgee closed this task as Declined.Jan 9 2019, 11:22 AM
Mikemcgee subscribed.

Cannot be fixed as it accessed to jimmy wales

Daimona reopened this task as Open.Jan 9 2019, 11:23 AM
Daimona removed a subscriber: Mikemcgee.
Mikemcgee renamed this task from Make the abusefilter-blocker user not be a sysop to Sorry it was declined.Jan 9 2019, 11:27 AM
Mikemcgee closed this task as Declined.
Mikemcgee removed Daimona as the assignee of this task.
Mikemcgee triaged this task as Unbreak Now! priority.
Mikemcgee removed projects: Patch-For-Review, User-Daimona, AbuseFilter.
Mikemcgee updated the task description. (Show Details)
Mikemcgee removed subscribers: Tgr, Ninjastrikers, Jony and 16 others.
Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptJan 9 2019, 11:27 AM
Mikemcgee removed a subscriber: TerraCodes.Jan 9 2019, 11:28 AM
Mikemcgee lowered the priority of this task from Unbreak Now! to Needs Triage.Jan 9 2019, 11:31 AM
Nirmos renamed this task from Sorry it was declined to Make the abusefilter-blocker user not be a sysop.Jan 9 2019, 11:32 AM
Nirmos reopened this task as Open.
Nirmos updated the task description. (Show Details)
Daimona claimed this task.Jan 9 2019, 11:35 AM
Daimona added projects: Patch-For-Review, User-Daimona, AbuseFilter.
Daimona added subscribers: Tgr, Ninjastrikers, Jony and 16 others.
Tgr added a comment.Jan 9 2019, 6:36 PM
In T212268#4865283, @Daimona wrote:

@Tgr If we want it to be the default, yes, it should be fixed in core. For AF, the user is attached on creation (see lines 723-727).

Oh, wasn't aware of that. It's a very Wikimedia-specific hack though. The generic approach (which might or might not blow up spectacularly; also we'd probably want something like T69936 for it, and not just in AbuseFilter) would be to create the user with AuthManager::autoCreateUser(). https://gerrit.wikimedia.org/r/c/mediawiki/core/+/481554/ is somewhat related.

Krenair subscribed.Jan 12 2019, 4:36 PM
Amorymeltzer subscribed.Jan 12 2019, 5:25 PM
Izno subscribed.Jan 13 2019, 4:41 AM
RandomDSdevel awarded a token.Jan 16 2019, 5:55 PM
Tegel subscribed.Jan 20 2019, 5:16 PM
Daimona added a comment.Jan 22 2019, 12:46 PM

@Tgr I'm sorry but I'm not sure I understood. Is it correct that, after $user = User::newSystemUser( $wgAbuseFilterUserName, [ 'steal' => true ] ); (line 720) we should do

MediaWiki\Auth\AuthManager::singleton()->autoCreateUser(
	$user,
	MediaWiki\Auth\AuthManager::AUTOCREATE_SOURCE_MAINT,
	false
);

instead of dealing directly with CentralAuth?

Tgr added a comment.Jan 22 2019, 4:28 PM

Yes, although maybe that should be put into newSystemUser itself.

Tgr added a comment.Jan 25 2019, 8:15 PM

Hm, no, actually that wouldn't work; CentralAuth refuses autocreation attempts if there is a central user by that name. Let's move this to a separate task to avoid side-tracking too much here: T214722: Introduce global system users

gerritbot added a comment.Mar 23 2019, 11:26 AM

Change 481549 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@master] Move the AbuseFilter user name to a global, improve it

https://gerrit.wikimedia.org/r/481549

revi mentioned this in T235598: Administrator (called "abusefilter-blocker") without contributions or log entries in the Mongolian Wikipedia.Oct 16 2019, 11:17 AM
Daimona mentioned this in T20660: Allow abuse filter to globally lock accounts and globally block IPs as an action.Nov 26 2019, 1:41 PM
DannyS712 subscribed.Feb 13 2020, 7:16 AM
CptViraj subscribed.Apr 19 2020, 3:34 PM
Rehman subscribed.Apr 19 2020, 4:09 PM
Janbery subscribed.Jun 15 2020, 8:08 PM
Daimona moved this task from Under review to Ideas for overhaul on the User-Daimona board.Aug 29 2020, 12:32 PM
Daimona edited projects, added AbuseFilter (Overhaul-2020); removed AbuseFilter, User-Daimona.Sep 16 2020, 2:11 PM

Accepting the part of not making this user be a sysop. The other thing included in the patch (making it use the same name everywhere) should be delayed.

kruusamagi subscribed.Mar 13 2022, 4:26 PM

This weird sysop-like user has been lurking around for many years now. Might we finally get to the point, when we get rid of that ghost from sysop lists?

Stang subscribed.Apr 8 2022, 3:19 PM
Tamzin subscribed.Apr 16 2022, 1:15 AM
matej_suchanek subscribed.Apr 19 2022, 1:08 PM

The Authority interface gives us now multiple options to solve the "not making this user be a sysop" part:

  1. Use UltimateAuthority.
  2. Use SimpleAuthority with sysop (needed) rights.
  3. Use UserAuthority and call PermissionManager::addTemporaryUserRights with sysop (needed) rights.

So?

Daimona added a comment.Apr 19 2022, 2:56 PM

I think UltimateAuthority would make sense -- the idea being that we want to skip any permission checks. I think system users were one of the original use cases for UltimateAuthority, too.

NguoiDungKhongDinhDanh subscribed.May 24 2022, 8:13 PM
Nintendofan885 subscribed.Jun 7 2022, 4:29 PM
Aklapper edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Aug 16 2022, 11:05 AM
Daimona removed Daimona as the assignee of this task.Aug 22 2022, 12:42 PM
Pppery awarded a token.Sep 20 2023, 1:37 AM
matej_suchanek added a comment.Apr 13 2024, 3:19 PM

Idea (kind of compromise): Remove the UserGroupManager::addUserToGroup call from the database updater (SchemaChangesHandler). The user will be created when the extension is installed but will be promoted only if the wiki decides to use the aggressive counter-features.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits