Handle blocked users consistently
Closed, ResolvedPublic

Description

The OAuth code uses $user->isLocked() || $wgBlockDisablesLogin && $user->isBlocked() half the time (/identify, API) and just $user->isBlocked() the other half (authorization) which does not really make sense. We should ensure that blocked status is handled consistently (probably via the first version of the logic as there is no good reason to take local blocks into account if the wiki still allows login - /identify tells the app the user has been blocked so it can decide what to do about it).

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 31 2017, 3:02 PM
Trizek-WMF updated the task description. (Show Details)Jan 31 2017, 3:03 PM
Trizek-WMF added a subscriber: Magnus.
xcombelle updated the task description. (Show Details)Jan 31 2017, 3:12 PM

The issue here (as far as I can tell) is that edits via OAuth are blocked by MediaWiki, but edits to the internal tool database were not.
I am now using an API request to check for blocked status, and disallow these edits, in mix'n'match.
The issue might affect other tools, which then will have to be altered in a similar fashion.

The block information does not appear to be available in the Labs DB replicas, is that correct? A basic "yes or no" would speed things up, compared to API requests.

Tgr added a subscriber: Tgr.Jan 31 2017, 10:54 PM

Tools using OAuth to edit are most certainly affected by blocks.

It does not make sense in general to fail authentication (which is probably the only thing mixnmatch uses OAuth for) just because the user is blocked. Some people want to use OAuth for unblock request management tools, for example. In cases where the block prevents login (private wikis, or global lock - not global block, I think) OAuth does refuse authentication. (Or it should - please file a security bug if that's not the case.)

We could return block information from Special:OAuth/identify, maybe. Other than that, I don't think there is anything actionable here as far as the OAuth extension goes.

Tgr added a comment.Feb 8 2017, 2:00 AM

Someone has complained that OAuth should *not* take local blocks into account. I looked through the code and apparently we use $user->isLocked() || $wgBlockDisablesLogin && $user->isBlocked() half the place and just $user->isBlocked() the other half, so blocked users might or might not get denied somewhat randomly. I'll repurpose this task into cleaning that up (probably by making it ignore local blocks consistently).

We could return block information from Special:OAuth/identify, maybe. Other than that, I don't think there is anything actionable here as far as the OAuth extension goes.

Actually we already do that, it's the blocked field of the JWT (except we don't set it when the user is blocked + hidden - that should be fixed). So if any application cares about blocked status they can easily check.

Tgr added a comment.Feb 8 2017, 2:02 AM

The original task description was

Take local bans into consideration in Oauth
A banned user on Wikidata is able to use external tools (here mixnmatch) that use OAuth. This has an impact for other people who contribute to Wikidata, because the user is removing correct suggestions and marking as non-applicable to Wikidata entries which are applicable to Wikidata.

apart of having a way to deal with vandalism on mixnmatch, OAuth should have an option to forbid access to tools related to a project for users blocked on those projets.

Tgr renamed this task from Take local bans into consideration in Oauth to Handle blocked users consistently.Feb 8 2017, 2:06 AM
Tgr updated the task description. (Show Details)

Change 336602 had a related patch set uploaded (by Gergő Tisza):
Make handling of blocked users consistent

https://gerrit.wikimedia.org/r/336602

Change 336602 merged by jenkins-bot:
Make handling of blocked users consistent

https://gerrit.wikimedia.org/r/336602

Tgr closed this task as Resolved.Feb 16 2017, 9:05 PM
Tgr claimed this task.