Draft: Disable Phab user when their SUL account is globally locked (!87) · Merge requests · repos / phabricator / phabricator

Aklapper requested to merge T338384caLock into wmf/stable Apr 04, 2025

When a Phab account is linked to SUL, check whether the SUL account is globally locked in CentralAuth, and disable their Phab account.

Test Plan without CentralAuth:

Replace the following lines:

- $mw_api_base = "https://mediawiki.org/w/api.php";
+ $mw_api_base = "http://mediawiki.localhost/api.php";
- "list" => "globalallusers",
- "agufrom" => $mw_sul_username,
- "aguto" => $mw_sul_username,
- "aguprop" => "lockinfo",
+ "list" => "users",
+ "ususers" => $mw_sul_username,
+ "usprop" => "blockinfo",
- if (isset($mw_api_result['query']['globalallusers'][0]['locked'])) {
+ if (isset($mw_api_result['query']['users'][0]['blockid'])) {

Set up MediaWiki and WMF Phabricator locally
Create an average user account "UserZ" in MediaWiki
Log into the MediaWiki user account "UserZ" in MediaWiki
Create and log into a Phab account "UserZ" linked to MediaWiki OAuth
As an MW admin, go to http://mediawiki.localhost/index.php?title=Special:Block/UserZ and add block for that user
As Phab user "UserZ", go to any page in Phabricator
See that Phab user "UserZ" gets logged out
Get error trying to log in again via SUL

Bug: T338384

Edited Apr 04, 2025 by Aklapper

Admin message

Admin message

Draft: Disable Phab user when their SUL account is globally locked

Merge request reports