Add private logging when user disables 2fa for someone else

It's better that we add for when someone enables or disables for self too
But that can be done in a follow-up patch

Bug: T180896
Change-Id: Ic173ebb7e39d22e40fea23c2b906d246adef1e05

extension.json

@@ -86,15 +86,18 @@
 	"AvailableRights": [
 		"oathauth-enable",
 		"oathauth-api-all",
-		"oathauth-disable-for-user"
+		"oathauth-disable-for-user",
+		"oathauth-view-log"
 	],
 	"GroupPermissions": {
 		"*": {
 			"oathauth-enable": true,
-			"oathauth-disable-for-user": false
+			"oathauth-disable-for-user": false,
+			"oathauth-view-log": false
 		},
 		"sysop": {
-			"oathauth-disable-for-user": true
+			"oathauth-disable-for-user": true,
+			"oathauth-view-log": true
 		}
 	},
 	"GrantPermissions": {
@@ -121,5 +124,18 @@
 		}
 	},
 	"load_composer_autoloader": true,
+	"LogTypes": [ "oath" ],
+	"LogNames": {
+		"oath": "oath-log-name"
+	},
+	"LogHeaders": {
+		"oath": "oath-log-header"
+	},
+	"LogActionsHandlers": {
+		"oath/*": "LogFormatter"
+	},
+	"LogRestrictions": {
+		"oath": "oathauth-view-log"
+	},
 	"manifest_version": 1
 }

i18n/en.json

@@ -29,8 +29,11 @@
 	"oathauth-entertoken": "Enter a code from your authentication device to verify:",
 	"oathauth-disable-for-user": "Disable two-factor authentication for a user",
 	"right-oathauth-disable-for-user": "Disable two-factor authentication for a user",
+	"right-oathauth-view-log": "Access to log of two-factor authentication changes",
+	"action-oathauth-view-log": "access to log of two-factor authentication changes",
 	"oathauth-disable-intro": "With great power, comes great responsibility",
 	"oathauth-enteruser": "Username:",
+	"oathauth-enterreason": "Reason for disabling:",
 	"oathauth-user-not-does-not-have-oath-enabled": "User doesn't have two-factor authentication enabled, so nothing to disable",
 	"right-oathauth-enable": "Enable two-factor authentication",
 	"action-oathauth-enable": "enable two-factor authentication",
@@ -45,6 +48,9 @@
 	"right-oathauth-api-all": "Query and validate OATH information for self and others",
 	"action-oathauth-api-all": "check OATH status",
 	"oathauth-user-not-found": "No user account was found with that name",
+	"oath-log-name": "Two-factor authentication log",
+	"oath-log-header": "These events track changes to users two-factor authentication status.",
+	"logentry-oath-disable-other": "$1 {{GENDER:$2|disabled}} the two-factor authentication of $3",
 	"apihelp-query+oath-description": "Check to see if two-factor authentication (OATH) is enabled for a user.",
 	"apihelp-query+oath-summary": "Check to see if two-factor authentication (OATH) is enabled for a user.",
 	"apihelp-query+oath-param-user": "User to get information about. Defaults to the current user.",

i18n/qqq.json

@@ -36,8 +36,11 @@
 	"oathauth-entertoken": "Label on input field on Special:OATH asking user to enter token",
 	"oathauth-disable-for-user": "Title of the special page to disable other users' two-factor authentication (OATH)",
 	"right-oathauth-disable-for-user": "{{doc-right|oathauth-disable-for-user}}",
+	"right-oathauth-view-log": "{{doc-right|oathauth-view-log}}",
+	"action-oathauth-view-log": "{{doc-action|oathauth-view-log}}",
 	"oathauth-disable-intro": "Intro message for special to disable other users' two-factor authentication (OATH)",
 	"oathauth-enteruser": "Label for user field in special page to disable",
+	"oathauth-enterreason": "Label for field for reason in special page to disable",
 	"oathauth-user-not-does-not-have-oath-enabled": "Error message when user does not have two-factor authentication (OATH) enabled",
 	"right-oathauth-enable": "{{doc-right|oathauth-enable}}",
 	"action-oathauth-enable": "{{doc-action|oathauth-enable}}",
@@ -52,6 +55,9 @@
 	"right-oathauth-api-all": "{{doc-right|oathauth-api-all}}",
 	"action-oathauth-api-all": "{{doc-action|oathauth-api-all}}",
 	"oathauth-user-not-found": "Message that Special:DisableOATHForUser will display when no user account can be found with the name provided",
+	"oath-log-name": "The Special:Log log name that appears in the drop-down on the Special:Log page",
+	"oath-log-header": "The Special:Log description that appears on the Special:Log page when you filter logs on this specific log name",
+	"logentry-oath-disable-other": "The template of the log entry message",
 	"apihelp-query+oath-description": "{{doc-apihelp-description|query+oath}}",
 	"apihelp-query+oath-summary": "{{doc-apihelp-summary|query+oath}}",
 	"apihelp-query+oath-param-user": "{{doc-apihelp-param|query+oath|user}}",

includes/special/SpecialDisableOATHForUser.php

@@ -65,7 +65,13 @@ class SpecialDisableOATHForUser extends FormSpecialPage {
 				'default' => '',
 				'label-message' => 'oathauth-enteruser',
 				'name' => 'user'
-			]
+			],
+			'reason' => [
+				'type' => 'text',
+				'default' => '',
+				'label-message' => 'oathauth-enterreason',
+				'name' => 'reason'
+			],
 		];
 	}
 
@@ -93,6 +99,12 @@ class SpecialDisableOATHForUser extends FormSpecialPage {
 		$oathUser->setKey( null );
 		$this->OATHRepository->remove( $oathUser, $this->getRequest()->getIP() );
 
+		$logEntry = new ManualLogEntry( 'oath', 'disable-other' );
+		$logEntry->setPerformer( $this->getUser() );
+		$logEntry->setTarget( $user->getUserPage() );
+		$logEntry->setComment( $formData['reason'] );
+		$logEntry->insert();
+
 		\MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' )->info(
 			'OATHAuth disabled for {usertarget} by {user} from {clientip}', [
 				'user' => $this->getUser()->getName(),