What is the problem?
A user who is hidden/suppressed via Special:CentralAuth can still use Special:EmailUser.
Special:EmailUser does not use PermissionManager::getPermissionErrors(), so does not trigger the onGetUserPermissionsErrorsExpensive hook which CentralAuth uses.
When suppressing a user, CentralAuth automatically creates a local database block which blocks the user from email. However, this block could be removed or not created in the first place if the user already has a block.
Steps to reproduce problem
Need to be logged in as a user with centralauth-oversight right
- Go to Special:CentralAuth/$user
- Click on the "Account is hidden completely" radio button, and then "Set status"
- CentralAuth automatically creates local database blocks, so go to Special:BlockList, find the newly created block, and unblock it
- Login as $user, go to Special:EmailUser
Expected behavior: You are blocked with a message like "You cannot edit because your account is locked."
Observed behavior: You can send an email.