Page MenuHomePhabricator

ipblock-exempt does not allow account creation when blocked
Open, Needs TriagePublic


When an IP is blocked, the underlying user cannot create accounts if they have the ipblock-exempt right (incl sysops)

From my test-wiki (just cloned from gerrit): - Blocked w/o sysop - Blocked with sysop - Block options

Only block option was account creation disabled. Tested IPv4 and IPv6 blocks. Tested range and directed blocks.

More info:

Event Timeline

SQL created this task.Mar 10 2018, 4:37 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 10 2018, 4:37 AM
SQL updated the task description. (Show Details)Mar 10 2018, 4:44 AM
1997kB added a subscriber: 1997kB.Mar 10 2018, 7:34 AM
JJMC89 added a subscriber: JJMC89.Mar 10 2018, 9:08 AM
Nick added a subscriber: Nick.Mar 12 2018, 12:19 PM
SQL updated the task description. (Show Details)Mar 18 2018, 3:49 PM
1997kB triaged this task as Unbreak Now! priority.May 18 2018, 1:34 PM
Restricted Application added subscribers: Liuxinyu970226, TerraCodes. · View Herald TranscriptMay 18 2018, 1:35 PM

Is anyone working on it?


Is this a regression? Why is it "unbreak now"?

matmarex updated the task description. (Show Details)May 18 2018, 3:54 PM
matmarex lowered the priority of this task from Unbreak Now! to Needs Triage.May 18 2018, 4:25 PM

It seems that AuthManager checks the user rights too stringently (when calling isBlockedFromCreateAccount()). In addition to checking whether the account creator can create the new account (AuthManager::checkAccountCreatePermissions()), it also checks whether the new account can create itself (CheckBlocksSecondaryAuthenticationProvider::testUserForCreation()). I think that is incorrect, but perhaps there is a reason for this (or perhaps it has always been this way, and you're in fact requesting a new feature).

matmarex removed a subscriber: matmarex.May 18 2018, 4:31 PM
BRPever removed a subscriber: BRPever.

Today, I was not able to reproduce it on (1.33.0-wmf.20 (f929e2a) 23:04, 6 March 2019). I tried a non-anonymous block of an IP range and both an anonymous and a non-anonymous block for a single IP.

But, I can reproduce it on (1.33.0-alpha (278ac40) 23:37, 10 March 2019).

Work is ongoing for partial blocks, but I don't know if that is related.

Izno added a subscriber: Izno.May 5 2019, 8:29 PM

Per T15611: Blocking account creation on an IP address should apply to logged in users too it is intentional that blocks that disable createaccount should have that applied to logged in users; however, I don't see ipblock-exempt mentioned. r41150 was by @aaron with follow-up by @tstarling.

	 * Get whether the user is explicitly blocked from account creation.
	 * @return bool|AbstractBlock
	public function isBlockedFromCreateAccount() {
		if ( $this->mBlock && $this->mBlock->appliesToRight( 'createaccount' ) ) {
			return $this->mBlock;
		# T15611: if the IP address the user is trying to create an account from is
		# blocked with createaccount disabled, prevent new account creation there even
		# when the user is logged in
		if ( $this->mBlockedFromCreateAccount === false && !$this->isAllowed( 'ipblock-exempt' ) ) {
			$this->mBlockedFromCreateAccount = DatabaseBlock::newFromTarget(
				null, $this->getRequest()->getIP()
		return $this->mBlockedFromCreateAccount instanceof AbstractBlock
			&& $this->mBlockedFromCreateAccount->appliesToRight( 'createaccount' )
			? $this->mBlockedFromCreateAccount
			: false;

(That's all the further that I'm able to get investigating this.)

I have just encounted this issue when trying to create an account for a trainee at the university where I am Wikimedian in Residence, via en.Wikipedia. I have "IP Block exempt" and "account creator" rights on that project.