InitialiseSettings.php says "inactive" group is "for show only", but I don't think there're any point to show a list of inactive users. Also there're already Special:BlockList. Adding users in "inactive" group does not prevent them from editing ($RevokePermissions).
If we want to remove this group we should also removed related code from https://git.wikimedia.org/blob/mediawiki/extensions/DisableAccount/9889477e42fa3f7a5d93eaa52fa0c52e72ae02fa/DisableAccount_body.php (just one line)
Accounts blocked with DisableAccount are automatically added into the inactive user group. However, yes, that flag does nothing. It is useful to see how many accounts are no longer active, but maybe this can be switched to Special:BlockList.
@Krenair This is not only a bug of DisableAccount extension. See https://noc.wikimedia.org/conf/highlight.php?file=InitialiseSettings.php
// Whitelist read wikis 'private' => array( '*' => array( 'read' => false, 'edit' => false, 'createaccount' => false ), 'user' => array( ... ), 'inactive' => array( // for show only ), ), ... // Fishbowls 'fishbowl' => array( '*' => array( 'edit' => false, 'createaccount' => false ), 'user' => array( ... ), 'inactive' => array( // for show only ), ),
It should also be removed from InitialiseSettings.php
I know, part of it is for the DisableAccount extension, and therefore this is in MediaWiki-extensions-Other, where it needs the DisableAccount tag in the title.
@Kizule: It's "open", but I guess that's not what you want to know. :) Do you have a more specific question?
Yes, e.g. https://foundation.wikimedia.org/w/index.php?title=Special:ListUsers&group=inactive. This group should be removed. And also such groups exists in some private wikis.
Change 789973 had a related patch set uploaded (by Stang; author: Stang):
[operations/mediawiki-config@master] Remove "inactive" user group
On some sites enabled wgBlockDisablesLogin, there still exist some user who is inside inactive group and get no block applied. Although this is not that relevant to this task (relevant to the undeployment of DisableAccount extension instead), local bureaucrats need to pay special attention. I suggest to perform a throughout review of those sites (especially sites inside private.dblist).
So I suggest to wait until process mentioned in previous comment complete, then we could move forward on this task.
On some sites enabled wgBlockDisablesLogin, there still exist some user who is inside inactive group and get no block applied.
Should I post some kind of announcement somewhere for that, and where to do so?
Add User-notice per suggestion on IRC, maybe this should be mentioned in Tech News. In summary:
There's a user group called "inactive" will be remove soon, as the extension depends on this group has been undeployed many years ago (T106067). This group only exist on fishbowl and private wiki; currently, blocked user will no longer able to login on these sites. Local bureaucrat should check if there's any user listed inside this group and not blocked via Special:ListUsers/inactive. If such user exist, please block them.
I'm not sure if it's needed to tag Security-Team, as this is kind of potential (sensitive) data leakage, especially on private wikis.
Ping @Reedy as I see some potentially related comments from you about the existence of a migration script (e.g. T141954 and T158863) plus an older script by Glaisher mentioned in T109060.
Would either of those scripts be usable to resolve this cleanup automatically?
If not.... then (we'll proceed with a broad announcement/request):
Hi @Stang I noticed that there is an added complexity at wikis without this historic feature. At those (most!) wikis, visiting Special:ListUsers/inactive will simply show the full user list starting at that alphabetical point (e.g.1, e.g.2). That makes it potentially confusing to simply mention the Title-string within Tech News, because many readers will likely check their own wiki out of curiosity, and then might be confused to see so many results...
To get around that, perhaps we can just direct bureaucrats here, and assume that they can read (or machine-translate) the English instructions?
I.e. I propose that you/I/someone edits this Task's Description to put the "Action item" for Bureaucrats at the very top. E.g.
Bureaucrats on fishbowl or private wikis: Please go to `Special:ListUsers/inactive` on your wiki. Most of the users in that list are probably already blocked. Any users that are //not// already blocked, should be blocked. If they are not blocked, then they will suddenly be able to login to your wiki, once this usergroup is removed. ---- (original task description)
Then in Tech News we could write something like this:
Bureaucrats on private or fishbowl wikis are requested to look at [[phab:T106068]]. An old extension is being removed along with the usergroup named "inactive". All users within that usergroup need to be blocked, if they are not already.
We don't have the extension deployed, but in theory that script should work standlone...
Wow there's such maint script here. I thought it would be nice if this script could complete all the works we should do, and if could not, a Tech News announcement would be necessary.
Might be worth copying/forking the script into the WikimediaMaintenance extension for a bit for ease
Change 816317 had a related patch set uploaded (by Stang; author: Stang):
[mediawiki/extensions/WikimediaMaintenance@master] DisableAccount: Copy blockDisabledAccounts.php to this repo
Change 816317 merged by jenkins-bot:
[mediawiki/extensions/WikimediaMaintenance@master] DisableAccount: Copy blockDisabledAccounts.php to this repo
Would like to schedule a maintenance script (blockDisabledAccounts.php) run at all fishbowl & private wikis on Oct 10 afternoon backport window.
If I understand correctly, we don't need Tech News for this, hence I'm untagging User-notice . Revert if I'm mistaken. :)
Script not actually run yesterday due to some concern. The "DisableAccount" extension will swipe the user_password and user_email field when disabling an account, and if a user disabled by that extension want itself to be re-enabled, they require help from sysadmin. The question is, for a user whose password and email got swiped, is it still needed to block it?
Also, I would like to have the following query executed on all fishbowl/private wikis, to estimate how many accounts will be affected. @Reedy could you please run this query? Thanks!
SELECT user_id, user_name FROM user JOIN user_groups ON user_id = ug_user LEFT JOIN ipblocks ON user_id = ipb_user WHERE ug_group = 'inactive' AND user_password != '' AND user_email != '' AND ipb_user IS NULL;
Change #789973 abandoned by Stang:
[operations/mediawiki-config@master] Remove "inactive" user group
Reason:
no longer work on this
So running that query now doesn't necessarily work, due to T367632: Drop ipblocks in production (and related work, meaning its no longer created).
It fails on arbcom_itwiki, sysop_plwiki, u4cwiki and wikimaniateamwiki, which I suspect never would have had disableaccount enabled.
Most of the wikis are 0 rows, except collabwiki, internalwiki, noboard_chapterswikimedia...