Declare grant risk levels

createaccount is a core grant which by default isn't really
sensitive, but TitleBlacklist adds tboverride-account which
can be used for social engineering.

Using MediaWikiServices to change configuration is not great,
but it's the least bad option available today - other hooks run
too late, and the extension registry doesn't support extensions
overriding core values.

Bug: T290790
Depends-On: Ib7a195c167f82e686c4ede45388957f9988bf75d
Change-Id: I2d20190266e4094449b5857b88f962a444c2f9b5

extension.json

@@ -77,6 +77,7 @@
 		"localBasePath": "modules",
 		"remoteExtPath": "TitleBlacklist/modules"
 	},
+	"callback": "MediaWiki\\Extension\\TitleBlacklist\\Hooks::onRegistration",
 	"Hooks": {
 		"getUserPermissionsErrorsExpensive": "TitleBlacklistHookHandler",
 		"TitleGetEditNotices": "TitleBlacklistHookHandler",

includes/Hooks.php

@@ -16,6 +16,7 @@ use MediaWiki\Hook\EditFilterHook;
 use MediaWiki\Hook\MovePageCheckPermissionsHook;
 use MediaWiki\Hook\TitleGetEditNoticesHook;
 use MediaWiki\Html\Html;
+use MediaWiki\Permissions\GrantsInfo;
 use MediaWiki\Permissions\Hook\GetUserPermissionsErrorsExpensiveHook;
 use MediaWiki\Revision\RevisionRecord;
 use MediaWiki\Status\Status;
@@ -42,6 +43,16 @@ class Hooks implements
 	PageSaveCompleteHook
 {
 
+	public static function onRegistration() {
+		global $wgGrantRiskGroups;
+		// Make sure the risk rating is at least 'security'. TitleBlacklist adds the
+		// tboverride-account right to the createaccount grant, which makes it possible
+		// to use it for social engineering attacks with restricted usernames.
+		if ( $wgGrantRiskGroups['createaccount'] !== GrantsInfo::RISK_INTERNAL ) {
+			$wgGrantRiskGroups['createaccount'] = GrantsInfo::RISK_SECURITY;
+		}
+	}
+
 	/**
 	 * getUserPermissionsErrorsExpensive hook
 	 *