Page MenuHomePhabricator

API list=blocks reveals private data
Closed, ResolvedPublic


The current implementation of the IP block list reveals the IP address(es) of users who are autoblocked in breach of [[wikimedia:Privacy policy]]. See for an example query where this problem occurs.

Expected behaviour: list the autoblock id only in the user attribute as in [[Special:Ipblocklist]] (#xxxxxx) for the entries that deal with autoblocks. Example: user="#123".

Actual behaviour: the IP of the autoblocked users is shown in the user attribute instead.

Version: 1.12.x
Severity: blocker



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:55 PM
bzimport set Reference to bz12321.
bzimport added a subscriber: Unknown Object (MLST).

Disabled list=blocks on Wikimedia pending a fix.