mirror of
https://gerrit.wikimedia.org/r/mediawiki/extensions/OATHAuth
synced 2024-11-28 02:00:06 +00:00
498dcfeb80
Users in groups listed in $wgOATHRequiredForGroups (default none) must have two-factor authentication enabled otherwise their membership in those groups will be disabled. This is done using the UserEffectiveGroups hook, which allows dynamically adding or removing user groups. If a user doesn't have 2FA enabled, it will appear to them as if they aren't a member of the group at all. Special:Preferences will show which groups are disabled. In the future it would be good to have a hook into PermissionsError to show this as well. The UserGetRights hook is used to ensure the user still has the "oathauth-enable" user right in case it was only granted to them as part of the user group they are disabled from. On the outside, Special:ListUsers will still show the user as a member of the group. The API list=users&prop=groups|groupmemberships will show inconsistent informaiton, groups will remove disabled groups while groupmemberships will not. This functionality was somewhat already available with $wgOATHExclusiveRights, except that implementation has flaws outlined at T150562#6078263 and haven't been resolved in I69af6a58e4 for over a year now. If this works out, it's expected that will be deprecated/removed. Bug: T150562 Change-Id: I07ebddafc6f2233ccec216fa8ac6e996553499fb |
||
|---|---|---|
| .phan | ||
| i18n | ||
| maintenance | ||
| modules/totp | ||
| sql | ||
| src | ||
| tests/phpunit/Auth | ||
| .eslintignore | ||
| .eslintrc.json | ||
| .gitignore | ||
| .gitreview | ||
| .phpcs.xml | ||
| .stylelintrc.json | ||
| CODE_OF_CONDUCT.md | ||
| composer.json | ||
| COPYING | ||
| extension.json | ||
| Gruntfile.js | ||
| OATHAuth.alias.php | ||
| package-lock.json | ||
| package.json | ||
| ServiceWiring.php | ||