Page MenuHomePhabricator
Create Task
Maniphest T19929

CentralAuth account locks should trigger global autoblocks
Open, LowPublic
Actions

Assigned To
None
Authored By
werdna
Mar 11 2009, 9:50 AM
Tags
Referenced Files
None
Subscribers
1234qwer1234qwer4
Ajraddatz
Aklapper
Aldnonymous
Amorymeltzer
Asartea
DannyS712
View All 30 Subscribers
Tokens
"Cup of Joe" token, awarded by Sj."100" token, awarded by kolbert."Like" token, awarded by Liuxinyu970226."Like" token, awarded by Poyekhali."Like" token, awarded by Nemo_bis.

Description

When a global account is locked there should be an option to allow to automatically global block the IP of the global account as it happens with the autoblock feature on regular wiki blocks. For this to work I guess that CentralAuth should pull the last IP used by the user being locked and submit it to GlobalBlocking anonymized (ie #1234) so the user IPs ain't disclosed in the process to the public.

Currently, since global account locks just terminates the session of the user and makes their password fail, they can continue creating accounts until a steward pulls the IP/CIDR of the user and globalblocks, which increases stewards' work and reduce effectiveness of the tool.

Details

Reference
bz17929

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT19929 CentralAuth account locks should trigger global autoblocks
 ResolvedNoneT28476 CentralAuth: unsuppression does not work on locally blocked accounts
 DuplicateNoneT25654 Global oversight fails to un-hide users when reversed
 OpenSkizzerzT17294 Allow blocking of global accounts
 OpenDreamy_JazzT356990 GlobalBlocking extension has poor test coverage
 OpenNoneT358777 Rename messages with the '-new' suffix to remove this suffix
 OpenNoneT358776 Remove old versions of GlobalBlocking i18n messages
 OpenNoneT358773 Remove the global accounts block configuration flag
 OpenNoneT356924 Deploy global account blocks to WMF wikis
 OpenNoneT356926 Add support to block global accounts using the globalblock API
 OpenNoneT356929 Allow SpecialRemoveGlobalBlock to remove a global block on an account
 ResolvedDreamy_JazzT356931 Support modifying the status of global blocks on accounts using Special:GlobalBlockStatus
 OpenNoneT356932 Allow Special:GlobalBlockList to show global blocks for accounts
 ResolvedDreamy_JazzT359584 Provide action links on Special:Log for global block entries
 OpenDreamy_JazzT356934 Allow a user to perform global blocks on accounts using Special:GlobalBlock
 OpenNoneT356935 The 'globalblocks' API should support listing global blocks for accounts
 ResolvedDreamy_JazzT356936 Update GlobalBlocking services to support global block on accounts
 ResolvedDreamy_JazzT358150 Update the GlobalBlockLocalStatusLookup and GlobalBlockLocalStatusManager services to support blocking accounts
 ResolvedDreamy_JazzT358157 Update the GlobalBlockManager service to support global blocks on accounts
 ResolvedDreamy_JazzT358155 Update GlobalBlockLookup service to support global blocks on accounts
 ResolvedDreamy_JazzT356876 Add a column to store central ID in globalblocks and global_block_whitelist tables
 Resolved MarosteguiT356987 Add gb_target_central_id to the globalblocks table on the centralauth DB
 Resolved MarosteguiT356988 Add gbw_target_central_id to global_block_whitelist table on WMF wikis
 ResolvedDreamy_JazzT356922 Deprecate unnecessary GlobalBlocking hooks
 ResolvedDreamy_JazzT359091 Create GlobalBlockLocalStatusManager service
 ResolvedDreamy_JazzT358865 Use non-legacy log parameters for log entries for global blocking and unblocking
 ResolvedDreamy_JazzT358725 Update the GlobalBlockingLinkBuilder service for global account blocks
 ResolvedDreamy_JazzT356923 Create a configuration value to control whether global account blocks are enabled
 ResolvedDreamy_JazzT356925 Update or duplicate GlobalBlocking messages to allow staged deployment of blocking accounts
 ResolvedDreamy_JazzT357385 Refactor the GlobalBlocking utility class into services
 ResolvedDreamy_JazzT357399 Create GlobalBlockingConnectionProvider
 ResolvedDreamy_JazzT357443 Create GlobalBlockingBlockPurger service
 ResolvedDreamy_JazzT357506 Create GlobalBlockLocalStatusLookup service
 ResolvedDreamy_JazzT357675 Create GlobalBlockLookup service
 ResolvedDreamy_JazzT357925 Create the GlobalBlockManager service
 ResolvedTchandersT360516 Periodically remove orphaned global_block_whitelist entries
 ResolvedDreamy_JazzT360621 Test and make improvements to the fixGlobalBlockWhitelist.php script

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:35 PM
bzimport added projects: MediaWiki-extensions-CentralAuth, Crosswiki.
bzimport set Reference to bz17929.
bzimport added a subscriber: Unknown Object (MLST).
werdna created this task.Mar 11 2009, 9:50 AM
werdna added a comment.Jul 16 2009, 5:04 PM

(Batch change)

These are low-priority miniprojects that I can mop up at some point when I'm doing general code work as opposed to working on a specific projects.

werdna added a comment.Aug 14 2009, 12:37 PM

[Batch change]

Removing Dave McCabe from CC, who I somehow managed to add to the CC list of 12 bugs assigned to me.

Platonides added a comment.Aug 8 2010, 11:05 PM

Dupe of bug 23114 ?

MarcoAurelio added a comment.Aug 9 2010, 6:41 AM

(In reply to comment #3)

Dupe of bug 23114 ?

Absolutelly not. Bug 23114 talks about *local* autoblocking of suppressed accounts only (lock + suppress). What it is requested here is to globally autoblock the IP(s) of an account when it is locked/lock-hidden/lock-suppressed. This would save us stewards *a lot* of time when dealing with cross-wiki disruption.

Preferably it would be better if we could have a checkbox in the form to select if in that lock we want to activate global autoblock, etc.

Platonides added a comment.Aug 9 2010, 2:13 PM

I see. You want the ip autolocked even for projects they have never been.

MarcoAurelio added a comment.Aug 2 2011, 4:42 PM

(In reply to comment #5)

I see. You want the ip autolocked even for projects they have never been.

Kind of it happens when you locally block an account with account creation blocked + autoblock. The system could set a global autoblock (global IP block) on the IP. Until global blocking of accounts is possible, this would be very helpful. Thank you.

Platonides added a comment.Aug 3 2011, 6:15 PM

This depends on creating global blocks. Which could be nice for other tasks, such as global proxy blocking. Although I have also seen meta admins going wild blocking proxys, too.

MZMcBride added a comment.Aug 3 2011, 8:54 PM

(In reply to comment #7)

This depends on creating global blocks. Which could be nice for other tasks,
such as global proxy blocking. Although I have also seen meta admins going wild
blocking proxys, too.

For reference, global IP blocking already exists. I'm not sure if this includes ranges (I assume so).

Platonides added a comment.Aug 3 2011, 9:24 PM

Right. There's GlobalBlocking extension. I did check http://meta.wikimedia.org/wiki/Special:Log before sending comment #7, and I would say the 'Global IP block' option wasn't there... :(

MarcoAurelio added a comment.Aug 3 2011, 9:34 PM

(In reply to comment #8)

For reference, global IP blocking already exists. I'm not sure if this includes
ranges (I assume so).

Yes. IP Rangeblocks (up to /16 ones) can be made with the GlobalBlocking extension, already avalaible to us. However global *b*locking of accounts is not possible at present. See bug 15294 for such a request or possibly bug 18182 too.

(In reply to comment #7)

This depends on creating global blocks. Which could be nice for other tasks,
such as global proxy blocking. Although I have also seen meta admins going wild
blocking proxys, too.

Currently we globally lock plain vandal accounts and plain abusive usernames.

Notwithstanding since the user IP addresses are not affected by global locks (as opposed to a local block with autoblock + account creation blocked) the user can simply continue creating abusive accounts until it hits the account creation per IP limit.

Having the option to autoblock the IP with account creation blocked globally will save us a lot of time having to manually get IPs of vandal accounts and blocking them to avoid ie: switching to another wiki or continue vandalizing, which is very annoying.

Thank you.

MarcoAurelio added a comment.Dec 30 2011, 3:19 PM

Removing ASSIGNED status as no real person seems to be taking care of this (wikibugs is just a mailing list) --> NEW

I suggest too raising the priority to normal. If this existed our work would become easier. Thanks.

+ crosswiki -- Two extensions involved: CentralAuth + GlobalBlocking.

Regards.

bzimport added a comment.Mar 3 2012, 1:17 PM

quentinv57 wrote:

I've put the priority to normal, as suggested above. We're now waiting for three years.

It would be very nice if this could be processed, even if I agree that it would be time-consuming for developers. But the time you will spend doing this is insignificant regarding the time stewards have lost due to this for now. As Marco Aurelio said above, this will be an amazing gain of time.

Now, when stewards want to globally block a crosswiki vandal, they have to perform the following operations :
1- lock the account
2- give themselves the CheckUser status locally
3- check the user IP
4- block the IP globally
5- remove themselves the CheckUser status
6- lock and delete the stuff the vandal has spread between the time the account has been locked and the IP globally blocked

If we had an auto-block that works, we would no more have to perform the last five points. The gain of time is at least 80%.

Moreover, some vandals know we can't perform checks on projets with local CheckUsers. Indeed, the steward policy forbids us to do this. So sometimes they play with us creating multiple accounts to vandalize, and move from a wiki with local CUs to an other. And we have to wait sometimes for dozens of minutes that a local CheckUser is available to perform the check and to globally block the IP.

I hope I was convincing enough. Thanks for your understanding.

Quentinv57

Platonides added a comment.Oct 28 2012, 10:06 PM

It looks easy to make an account lock (optionally) insert a globalblock row.
globalblocks table would need a gb_auto column and filtering to not show the ip address in that case.
It's a different approach than the one used in 'normal' autoblocks, but looks more appropiate.

A problem would be that unlocking would need manual unblocking of the ips, though. But seems acceptable.

Trijnstel subscribed.Nov 29 2014, 10:48 PM
Rschen7754 subscribed.Nov 30 2014, 12:37 AM
werdna unsubscribed.Dec 10 2014, 5:23 PM
Nemo_bis awarded a token.Dec 12 2014, 8:01 AM
Glaisher subscribed.Apr 10 2015, 5:32 PM
Aldnonymous subscribed.Apr 29 2015, 4:25 PM
Liuxinyu970226 subscribed.May 12 2015, 5:04 AM
Rschen7754 unsubscribed.Jun 27 2015, 8:07 PM
Legoktm added a project: Stewards-and-global-tools.Oct 27 2015, 4:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 27 2015, 4:58 PM
MarcoAurelio mentioned this in T17294: Allow blocking of global accounts.Mar 23 2016, 5:23 PM
MarcoAurelio removed a subscriber: wikibugs-l-list.Apr 18 2016, 9:18 AM
Restricted Application added a subscriber: JEumerus. · View Herald TranscriptApr 18 2016, 9:18 AM
Ajraddatz merged a task: T133583: Global blocking from centralauth.Apr 25 2016, 7:55 PM
Ajraddatz subscribed.

Copying my explanation from the merged task:
Currently, global locks cannot apply an autoblock and only prevent users from logging in. It would be beneficial to add a "global block" option to this, so that the autoblock can be applied. Currently stewards need to use CheckUser to find the IP address and then separately globally block it, which is public and usually results in an easy connection of account --> IP.

I was testing with centralauth today as a result of [[T47094]], and found out that the "oversight" option of centralauth already does this with a hideuser block. Could a feature be built off of the existing infrastructure to allow for global blocking through centralauth without oversight, in the same way that currently exists? This should be separate from global locking.

Glaisher added a project: GlobalBlocking.Apr 26 2016, 9:22 AM
Luke081515 subscribed.EditedApr 26 2016, 2:34 PM

Maybe we should ask an performance expert, because suppressing auser requires actually a job, which blocks him at all wikis. I'm not a steward, so I can't controll this, but I guess you lock more accounts then hide or suppress accounts, so this can be a performance problem.

And: Before we create this, we have to fix T28476. Otherwise a steward who locks a account in error, and wants to revert it, have to unblock the user in every wiki. Sounds like much fun, if you have to unblock the user at (for example for my account) 394 wikis. :-/

Luke081515 added a subtask: T28476: CentralAuth: unsuppression does not work on locally blocked accounts.Apr 26 2016, 2:34 PM
Glaisher added a comment.Apr 26 2016, 3:52 PM

Yeah, the current system is actually quite inefficient and has several issues because it requires sending blocks to all the wikis and these can be hard to manage. Proper way to go forward would be to implement a central blocking system in GlobalBlocking extension as suggested above.

Luke081515 closed subtask T28476: CentralAuth: unsuppression does not work on locally blocked accounts as Resolved.Apr 26 2016, 9:54 PM
Nemo_bis added a subtask: T17294: Allow blocking of global accounts.May 22 2016, 7:01 AM
Nemo_bis added a comment.May 22 2016, 7:04 AM
In T19929#2239938, @Glaisher wrote:

Proper way to go forward would be to implement a central blocking system in GlobalBlocking extension as suggested above.

Ok, if so T17294 is a blocker, right? Note that this feature request is also about making the local wiki aware of the IP addresses used by the blocker user on another wiki. Or did you mean that you want to "centralise" the implementation of the IP blocks alone?

TerraCodes subscribed.May 22 2016, 7:20 AM
Aklapper added a subscriber: bzimport.May 22 2016, 11:04 AM
In T19929#228729, @bzimport wrote:

quentinv57 wrote:
I've put the priority to normal, as suggested above. We're now waiting for three years.

The Priority field should reflect reality but does not cause it... So I'm afraid this is de facto low priority (as it was initially).

It would be very nice if this could be processed, even if I agree that it would be time-consuming for developers.

Wondering if someone could bring up this task for the next Community Wishlist round, to give it more attention?

Poyekhali subscribed.May 30 2016, 4:28 AM
Phabricator_maintenance added a project: MediaWiki-Revision-deletion.Aug 5 2016, 2:26 PM
Phabricator_maintenance removed a subscriber: bzimport.
Phabricator_maintenance removed a parent task: T20840: [DO NOT USE] RevDelete/HideUser (tracking) [superseded by #MediaWiki-Revision-deletion].Aug 5 2016, 2:28 PM
Poyekhali lowered the priority of this task from Medium to Low.Aug 9 2016, 9:38 AM

Per T19929#2315837. Feel free to raise it back to normal if someone is interested in this task.

Poyekhali awarded a token.Aug 9 2016, 9:38 AM
MarcoAurelio removed a parent task: T43492: [DO NOT USE] Steward, global sysop and SWMT tasks bugs (tracking) [superseded by #Stewards-and-global-tools].Jan 11 2017, 11:39 PM
Matanya moved this task from Untriaged to Medium priority on the Stewards-and-global-tools board.Apr 19 2017, 8:38 PM
Krinkle mentioned this in T27305: Add a way to extend autoblock to longer than 1 day.May 7 2017, 11:48 PM
MarcoAurelio removed projects: MediaWiki-Revision-deletion, Crosswiki.Jul 23 2017, 10:39 PM
MarcoAurelio updated the task description. (Show Details)
TBolliger subscribed.Nov 9 2017, 7:39 PM
Liuxinyu970226 awarded a token.Nov 12 2017, 2:02 AM
Stryn subscribed.Jul 1 2018, 2:08 PM

This is very important for stewards.

Today I locked cross-wiki vandal, and then I went to login.wikimedia.org to checkuser the account, and at this time he had created another account and was already vandalizing before I globally blocked the IP.

Amorymeltzer subscribed.Mar 21 2019, 2:21 PM
Tegel subscribed.Feb 28 2020, 7:40 PM
MarcoAurelio renamed this task from CentralAuth lock/hide should trigger global autoblocks to CentralAuth account locks should trigger global autoblocks.Jun 12 2020, 9:25 AM
MarcoAurelio mentioned this in T255161: Poll stewards and admins on spam-fighting efforts.Jun 12 2020, 9:33 AM
DannyS712 subscribed.Jun 16 2020, 9:29 PM
Asartea subscribed.Nov 19 2020, 3:38 PM
Jony subscribed.Nov 21 2020, 5:13 PM
taavi subscribed.Dec 28 2020, 8:48 AM
MrJaroslavik subscribed.Feb 22 2021, 7:01 PM
dmehus subscribed.Feb 22 2021, 7:02 PM
In T19929#228729, @bzimport wrote:

quentinv57 wrote:

I've put the priority to normal, as suggested above. We're now waiting for three years.

It would be very nice if this could be processed, even if I agree that it would be time-consuming for developers. But the time you will spend doing this is insignificant regarding the time stewards have lost due to this for now. As Marco Aurelio said above, this will be an amazing gain of time.

Now, when stewards want to globally block a crosswiki vandal, they have to perform the following operations :
1- lock the account
2- give themselves the CheckUser status locally
3- check the user IP
4- block the IP globally
5- remove themselves the CheckUser status
6- lock and delete the stuff the vandal has spread between the time the account has been locked and the IP globally blocked

If we had an auto-block that works, we would no more have to perform the last five points. The gain of time is at least 80%.

Moreover, some vandals know we can't perform checks on projets with local CheckUsers. Indeed, the steward policy forbids us to do this. So sometimes they play with us creating multiple accounts to vandalize, and move from a wiki with local CUs to an other. And we have to wait sometimes for dozens of minutes that a local CheckUser is available to perform the check and to globally block the IP.

I hope I was convincing enough. Thanks for your understanding.

Quentinv57

Well articulated rationale. I don't think I could've articulated a better, more concise use case.

Thanks for this.

R4356th subscribed.Feb 23 2021, 5:02 AM
Zabe subscribed.Oct 4 2021, 11:44 PM
1234qwer1234qwer4 subscribed.Jun 19 2022, 4:54 PM
Johannnes89 subscribed.Mar 23 2023, 10:02 PM
Vermont subscribed.Aug 11 2023, 6:21 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptAug 11 2023, 6:21 PM
kolbert subscribed.Aug 19 2023, 3:54 AM
larissagaulia moved this task from Inbox, needs triage to Radar on the MediaWiki-Platform-Team board.Aug 22 2023, 12:36 PM
larissagaulia edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.
kolbert awarded a token.Aug 24 2023, 6:57 AM
Str13tlife removed a subtask: T17294: Allow blocking of global accounts.Nov 26 2023, 8:08 PM
JJMC89 added a subtask: T17294: Allow blocking of global accounts.Nov 26 2023, 8:13 PM
Sj awarded a token.Dec 9 2023, 11:41 PM
Bugreporter moved this task from Backlog to Global account management (lock/hide/suppress) on the MediaWiki-extensions-CentralAuth board.Jan 17 2024, 12:59 PM
Bugreporter mentioned this in T355286: [Epic] Globally blocking a temporary account should prevent further account creations.Jan 18 2024, 7:28 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL