Page MenuHomePhabricator
Create Task
Maniphest T15036

Blocked users can still use oversight
Closed, ResolvedPublic
Actions

Description

Author: artificial

Description:
I tested this on my own wiki, and while blocked, I was still able to oversight revisions on multiple pages and access oversighted data.

The only likely situation where a user with oversight privileges will be blocked is in the case of a compromised account, in which case any use of Special:HideRevision and Special:Oversight will not be legit. There's a potential for mischief here, given that un-oversighting revisions requires special privileges and effort beyond that of normal vandalism reversion.

It would be safer to disable access to these special pages immediately for blocked accounts. It's at least very unlikely to impede any legitimate use of them.

(This is just a suggestion, so it can be closed as WONTFIX if it's not a good idea.)

Version: unspecified
Severity: enhancement

Details

Reference
bz13036

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:07 PM
bzimport added a project: MediaWiki-extensions-Oversight.
bzimport set Reference to bz13036.
bzimport created this task.Feb 16 2008, 3:25 PM
aaron added a comment.Feb 16 2008, 10:56 PM

They could just unblock themselves anyway, unless it was a non-admin Oversight...which I suppose is possible.

Catrope added a comment.Feb 17 2008, 9:54 PM

'Special' rights aren't blocked, only editing is. It'll only take another second to strip someone of his oversight rights after you block him. The real fun starts when blocking sysops: they can unblock themselves if you don't remember to de-sysop them as well.

bzimport added a comment.Feb 18 2008, 12:43 AM

artificial wrote:

Fair enough. Strange system where admins can unblock themselves.

vvv added a comment.Feb 18 2008, 2:40 PM

Reopening this bug. Blocked sysops should be able *only* to unblock himself, other actions (like deletion) should check for block status.

Kalan added a comment.Feb 18 2008, 2:43 PM

Blocked sysops should be able *only* to unblock himself,
other actions (like deletion) should check for block status.

What sense does it make if a sysop performs the action or they unblock themselves and perform the action anyway?

vvv added a comment.Feb 18 2008, 2:45 PM

(In reply to comment #5)

Blocked sysops should be able *only* to unblock himself,
other actions (like deletion) should check for block status.

What sense does it make if a sysop performs the action or they unblock
themselves and perform the action anyway?

So it makes harder life for sysops-vandals :)

aaron added a comment.Sep 5 2008, 6:25 AM

Done in r40473

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL