Yeah, you're right, that's my mistake. Would you like to submit a patch or shall I?

OATHAuth removes interface-admin from your effective groups when you don't use 2FA. Some groups-related MediaWiki APIs report your effective groups (as in UserGroupManager::getUserEffectiveGroups(), others report your explicit groups (as in UserGroupManager::getUserGroups()) which don't include groups added/removed dynamically by hooks, autopromotion-based groups, implicit groups like temp... It's not great, but also not easy to fix (calculating effective groups is probably too expensive for batch APIs, and it's impossible to filter on non-explicit groups), and not specific to OATHAuth.

I think the docs that @LucasWerkmeister wrote were the actionable outcome here.

It's a bit hard to interpret the task description and the comments; apparently both pages mentioned in the description have been successfully deleted in the meantime, and the page history shows Unknown user for the first edit.

mysql:research@dbstore1007.eqiad.wmnet [zhwikisource]> select * from archive where ar_title = '宇宙浪子' and ar_parent_id = 0;
+-------+--------------+--------------+---------------+----------+----------------+---------------+-----------+------------+--------+------------+--------------+---------------------------------+
| ar_id | ar_namespace | ar_title     | ar_comment_id | ar_actor | ar_timestamp   | ar_minor_edit | ar_rev_id | ar_deleted | ar_len | ar_page_id | ar_parent_id | ar_sha1                         |
+-------+--------------+--------------+---------------+----------+----------------+---------------+-----------+------------+--------+------------+--------------+---------------------------------+
| 55702 |            0 | 宇宙浪子     |             1 |    72325 | 20010115000000 |             0 |    209282 |          0 |     28 |     108661 |            0 | 91nyffwsl71ubxm0dji7u1bljr5d8fl |
+-------+--------------+--------------+---------------+----------+----------------+---------------+-----------+------------+--------+------------+--------------+---------------------------------+
1 row in set (0.094 sec)

I'm not sure why Growth Team would have been the maintainer of this back in 2018, but I'm pretty sure we no longer own the logic to delete pages in 2025. Untagging us, and tagging the platform team maybe, because this is very much MediaWiki core? No idea if anything here still needs doing.

IIRC @mpopov and I discussed this in Slack some time ago and arrived at a potential solution: Have Varnish derive one or more session cookies from Edge Unique cookie, e.g.

It's more or less the same issue (the less part is that in theory you could have a manual way to create global system users, that doesn't automatically get applied to all system users; but that seems like overcomplicating it) but it's more complex than just attaching. What if the central account does not exist yet? What if it exists but isn't a system user (and you are using the steal flag)? We don't even have an isSystemUser() equivalent for central users.

I've been cleaning up some tasks about global system users. It's not clear to me what is the difference between this task and T275931: Have new system users be automatically attached to CentralAuth.

Documented the 2FA requirement on mw:Beta Cluster, maybe it helps someone in future.

Change #1153674 abandoned by Lucas Werkmeister:

[operations/mediawiki-config@master] beta cluster: Disable $wgOATHRequiredForGroups

https://gerrit.wikimedia.org/r/1153674

In T396061#10885359, @LucasWerkmeister wrote:

I don’t even want to imagine what horrible things this enforcement mechanism is doing to make MediaWiki behave in this bizarre way.

@KColeman-WMF the expiry indentation could be removed with a small patch if necessary.

Two issues with the current design were noted in T394933#10885774:

• The extra indentation of the expiry fields is jarring (implemented in this line of CSS)
• The column widths are uneven, with the "Groups you can change" column being much wider

Mentioned in SAL (#wikimedia-operations) [2025-06-04T20:15:25Z] <cjming@deploy1003> Finished scap sync-world: Backport for [[gerrit:1153673|beta cluster: Set $wgOATHAuthAccountPrefix (T396061)]] (duration: 10m 13s)

Mentioned in SAL (#wikimedia-operations) [2025-06-04T20:07:18Z] <cjming@deploy1003> lucaswerkmeister, cjming: Backport for [[gerrit:1153673|beta cluster: Set $wgOATHAuthAccountPrefix (T396061)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2025-06-04T20:05:11Z] <cjming@deploy1003> Started scap sync-world: Backport for [[gerrit:1153673|beta cluster: Set $wgOATHAuthAccountPrefix (T396061)]]

Change #1153673 merged by jenkins-bot:

[operations/mediawiki-config@master] beta cluster: Set $wgOATHAuthAccountPrefix

https://gerrit.wikimedia.org/r/1153673

Change #1153343 merged by jenkins-bot:

[mediawiki/core@master] user: Remove hard-deprecated User::whoIs/whoIsReal

https://gerrit.wikimedia.org/r/1153343

Change #1153674 had a related patch set uploaded (by Lucas Werkmeister; author: Lucas Werkmeister):

[operations/mediawiki-config@master] beta cluster: Disable $wgOATHRequiredForGroups

https://gerrit.wikimedia.org/r/1153674

Change #1153673 had a related patch set uploaded (by Lucas Werkmeister; author: Lucas Werkmeister):

[operations/mediawiki-config@master] beta cluster: Set $wgOATHAuthAccountPrefix

https://gerrit.wikimedia.org/r/1153673

I set up 2FA for my Beta account and then it’s no longer my problem