Blocked users can upload files to stash
Closed, ResolvedPublic
Actions

Description

Blocked users can stash files. This is not a big problem (since they can do nothing else with them), but still seems unintended.

Details

	Subject	Repo	Branch	Lines +/-
	Check if user is blocked during upload process	mediawiki/core	master	+18 -0
	Add i18n keys for blocked messages	mediawiki/extensions/UploadWizard	master	+2 -0

Customize query in gerrit

Related Objects

Mentioned In: T111174: Special:UploadWizard needs to notify globally blocked users at the beginning of the process, and provide a standard block message
Mentioned Here: T111174: Special:UploadWizard needs to notify globally blocked users at the beginning of the process, and provide a standard block message

Event Timeline

matmarex created this task.Sep 2 2015, 6:04 PM

matmarex raised the priority of this task from to Needs Triage.

matmarex updated the task description. (Show Details)

matmarex added projects: MediaWiki-User-management, MediaWiki-Uploading.

matmarex subscribed.

Restricted Application added a project: Multimedia. · View Herald TranscriptSep 2 2015, 6:04 PM

Restricted Application added subscribers: Steinsplitter, Aklapper. · View Herald Transcript

matmarex mentioned this in T111174: Special:UploadWizard needs to notify globally blocked users at the beginning of the process, and provide a standard block message.Sep 2 2015, 6:06 PM

Matanya subscribed.Sep 2 2015, 9:03 PM

Billinghurst subscribed.Sep 3 2015, 3:06 AM

Jdforrester-WMF triaged this task as Low priority.Sep 4 2015, 6:48 PM

Jdforrester-WMF set Security to None.

Jdforrester-WMF moved this task from Untriaged to Next up on the Multimedia board.Sep 4 2015, 6:57 PM

@matmarex, could you elaborate on how to reproduce this ?

I tried this on a local installation of mediawiki, where I created a user and blocked it.
Now when I login as that user, and go to the Special:Upload page, it says I was blocked.
When I login as that user, and go to the Special:UploadWizard page, it again says I was blocked.

@TasneemLo it was related to global blocks, per T111174 was my understanding.

@TasneemLo, you can only stash the file, you can't "publish" it on the wiki.

Special:Upload generally doesn't use stash (I think it does if the file is uploaded, but there are errors to be corrected in the description?), but it should be possible to reproduce with UploadWizard:

As user A, who is not blocked, visit Special:UploadWizard. Don't do anything else yet.
In a private browser tab, log in as user B and block user A.
As user A, continue by uploading a file and going through the whole form. You will only get an error message at the final step (when trying to publish the file), not at the first step (when it is uploaded).

(And yes, you could previously run into this when globally blocked, because UploadWizard was not checking for global blocks before displaying the form. This is now fixed and you have to be blocked while working through the form to run into this in practice.)

Billinghurst unsubscribed.Dec 14 2015, 11:40 AM

Trijnstel subscribed.Dec 18 2015, 12:40 PM

TasneemLo unsubscribed.Dec 20 2015, 9:14 AM

matthiasmullie claimed this task.Apr 28 2016, 2:21 PM

Change 286161 had a related patch set uploaded (by Matthias Mullie):
Check if user is blocked during upload process

https://gerrit.wikimedia.org/r/286161

gerritbot added a project: Patch-For-Review.Apr 29 2016, 2:25 PM

matthiasmullie moved this task from Next up to Needs code review on the Multimedia board.Apr 29 2016, 2:25 PM

Change 286413 had a related patch set uploaded (by Matthias Mullie):
Add i18n keys for blocked messages

https://gerrit.wikimedia.org/r/286413

Change 286161 merged by jenkins-bot:
Check if user is blocked during upload process

https://gerrit.wikimedia.org/r/286161