From 808df6dc551ddc5e788f41dd546950f379142636 Mon Sep 17 00:00:00 2001 From: Amir Sarabadani Date: Sun, 7 Apr 2019 00:30:51 +0200 Subject: [PATCH] Add private logging when user disables 2fa for someone else It's better that we add for when someone enables or disables for self too But that can be done in a follow-up patch Bug: T180896 Change-Id: Ic173ebb7e39d22e40fea23c2b906d246adef1e05 --- extension.json | 22 ++++++++++++++++--- i18n/en.json | 6 +++++ i18n/qqq.json | 6 +++++ .../special/SpecialDisableOATHForUser.php | 14 +++++++++++- 4 files changed, 44 insertions(+), 4 deletions(-) diff --git a/extension.json b/extension.json index f6bfe16c..f1c6d038 100644 --- a/extension.json +++ b/extension.json @@ -86,15 +86,18 @@ "AvailableRights": [ "oathauth-enable", "oathauth-api-all", - "oathauth-disable-for-user" + "oathauth-disable-for-user", + "oathauth-view-log" ], "GroupPermissions": { "*": { "oathauth-enable": true, - "oathauth-disable-for-user": false + "oathauth-disable-for-user": false, + "oathauth-view-log": false }, "sysop": { - "oathauth-disable-for-user": true + "oathauth-disable-for-user": true, + "oathauth-view-log": true } }, "GrantPermissions": { @@ -121,5 +124,18 @@ } }, "load_composer_autoloader": true, + "LogTypes": [ "oath" ], + "LogNames": { + "oath": "oath-log-name" + }, + "LogHeaders": { + "oath": "oath-log-header" + }, + "LogActionsHandlers": { + "oath/*": "LogFormatter" + }, + "LogRestrictions": { + "oath": "oathauth-view-log" + }, "manifest_version": 1 } diff --git a/i18n/en.json b/i18n/en.json index 89ff5351..c4d94e2c 100644 --- a/i18n/en.json +++ b/i18n/en.json @@ -29,8 +29,11 @@ "oathauth-entertoken": "Enter a code from your authentication device to verify:", "oathauth-disable-for-user": "Disable two-factor authentication for a user", "right-oathauth-disable-for-user": "Disable two-factor authentication for a user", + "right-oathauth-view-log": "Access to log of two-factor authentication changes", + "action-oathauth-view-log": "access to log of two-factor authentication changes", "oathauth-disable-intro": "With great power, comes great responsibility", "oathauth-enteruser": "Username:", + "oathauth-enterreason": "Reason for disabling:", "oathauth-user-not-does-not-have-oath-enabled": "User doesn't have two-factor authentication enabled, so nothing to disable", "right-oathauth-enable": "Enable two-factor authentication", "action-oathauth-enable": "enable two-factor authentication", @@ -45,6 +48,9 @@ "right-oathauth-api-all": "Query and validate OATH information for self and others", "action-oathauth-api-all": "check OATH status", "oathauth-user-not-found": "No user account was found with that name", + "oath-log-name": "Two-factor authentication log", + "oath-log-header": "These events track changes to users two-factor authentication status.", + "logentry-oath-disable-other": "$1 {{GENDER:$2|disabled}} the two-factor authentication of $3", "apihelp-query+oath-description": "Check to see if two-factor authentication (OATH) is enabled for a user.", "apihelp-query+oath-summary": "Check to see if two-factor authentication (OATH) is enabled for a user.", "apihelp-query+oath-param-user": "User to get information about. Defaults to the current user.", diff --git a/i18n/qqq.json b/i18n/qqq.json index 08b4ae41..c266a61a 100644 --- a/i18n/qqq.json +++ b/i18n/qqq.json @@ -36,8 +36,11 @@ "oathauth-entertoken": "Label on input field on Special:OATH asking user to enter token", "oathauth-disable-for-user": "Title of the special page to disable other users' two-factor authentication (OATH)", "right-oathauth-disable-for-user": "{{doc-right|oathauth-disable-for-user}}", + "right-oathauth-view-log": "{{doc-right|oathauth-view-log}}", + "action-oathauth-view-log": "{{doc-action|oathauth-view-log}}", "oathauth-disable-intro": "Intro message for special to disable other users' two-factor authentication (OATH)", "oathauth-enteruser": "Label for user field in special page to disable", + "oathauth-enterreason": "Label for field for reason in special page to disable", "oathauth-user-not-does-not-have-oath-enabled": "Error message when user does not have two-factor authentication (OATH) enabled", "right-oathauth-enable": "{{doc-right|oathauth-enable}}", "action-oathauth-enable": "{{doc-action|oathauth-enable}}", @@ -52,6 +55,9 @@ "right-oathauth-api-all": "{{doc-right|oathauth-api-all}}", "action-oathauth-api-all": "{{doc-action|oathauth-api-all}}", "oathauth-user-not-found": "Message that Special:DisableOATHForUser will display when no user account can be found with the name provided", + "oath-log-name": "The Special:Log log name that appears in the drop-down on the Special:Log page", + "oath-log-header": "The Special:Log description that appears on the Special:Log page when you filter logs on this specific log name", + "logentry-oath-disable-other": "The template of the log entry message", "apihelp-query+oath-description": "{{doc-apihelp-description|query+oath}}", "apihelp-query+oath-summary": "{{doc-apihelp-summary|query+oath}}", "apihelp-query+oath-param-user": "{{doc-apihelp-param|query+oath|user}}", diff --git a/includes/special/SpecialDisableOATHForUser.php b/includes/special/SpecialDisableOATHForUser.php index 1b41b378..b6bc239f 100644 --- a/includes/special/SpecialDisableOATHForUser.php +++ b/includes/special/SpecialDisableOATHForUser.php @@ -65,7 +65,13 @@ class SpecialDisableOATHForUser extends FormSpecialPage { 'default' => '', 'label-message' => 'oathauth-enteruser', 'name' => 'user' - ] + ], + 'reason' => [ + 'type' => 'text', + 'default' => '', + 'label-message' => 'oathauth-enterreason', + 'name' => 'reason' + ], ]; } @@ -93,6 +99,12 @@ class SpecialDisableOATHForUser extends FormSpecialPage { $oathUser->setKey( null ); $this->OATHRepository->remove( $oathUser, $this->getRequest()->getIP() ); + $logEntry = new ManualLogEntry( 'oath', 'disable-other' ); + $logEntry->setPerformer( $this->getUser() ); + $logEntry->setTarget( $user->getUserPage() ); + $logEntry->setComment( $formData['reason'] ); + $logEntry->insert(); + \MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' )->info( 'OATHAuth disabled for {usertarget} by {user} from {clientip}', [ 'user' => $this->getUser()->getName(),