Page MenuHomePhabricator

ipblock-exempt does not allow account creation when blocked
Open, Needs TriagePublic

Description

When an IP is blocked, the underlying user cannot create accounts if they have the ipblock-exempt right (incl sysops)

From my test-wiki (just cloned from gerrit):

https://i.imgur.com/3DKnyq1.png - Blocked w/o sysop


https://i.imgur.com/aDeEwmR.png - Blocked with sysop

https://i.imgur.com/iaKvsk4.png - Block options

Only block option was account creation disabled. Tested IPv4 and IPv6 blocks. Tested range and directed blocks.

More info: https://en.wikipedia.org/wiki/Wikipedia:Administrators%27_noticeboard/Archive297#All_user_accounts_are_restricted_from_account_creation_while_doing_so_from_a_blocked_IP_or_range

Event Timeline

SQL created this task.Mar 10 2018, 4:37 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 10 2018, 4:37 AM
SQL updated the task description. (Show Details)Mar 10 2018, 4:44 AM
1997kB added a subscriber: 1997kB.Mar 10 2018, 7:34 AM
JJMC89 added a subscriber: JJMC89.Mar 10 2018, 9:08 AM
Nick added a subscriber: Nick.Mar 12 2018, 12:19 PM
SQL updated the task description. (Show Details)Mar 18 2018, 3:49 PM
1997kB triaged this task as Unbreak Now! priority.May 18 2018, 1:34 PM
Restricted Application added subscribers: Liuxinyu970226, TerraCodes. · View Herald TranscriptMay 18 2018, 1:35 PM

Is anyone working on it?

No.

Is this a regression? Why is it "unbreak now"?

matmarex updated the task description. (Show Details)May 18 2018, 3:54 PM
matmarex lowered the priority of this task from Unbreak Now! to Needs Triage.May 18 2018, 4:25 PM

It seems that AuthManager checks the user rights too stringently (when calling isBlockedFromCreateAccount()). In addition to checking whether the account creator can create the new account (AuthManager::checkAccountCreatePermissions()), it also checks whether the new account can create itself (CheckBlocksSecondaryAuthenticationProvider::testUserForCreation()). I think that is incorrect, but perhaps there is a reason for this (or perhaps it has always been this way, and you're in fact requesting a new feature).

matmarex removed a subscriber: matmarex.May 18 2018, 4:31 PM
BRPever removed a subscriber: BRPever.

Today, I was not able to reproduce it on https://test.wikipedia.org (1.33.0-wmf.20 (f929e2a) 23:04, 6 March 2019). I tried a non-anonymous block of an IP range and both an anonymous and a non-anonymous block for a single IP.

But, I can reproduce it on https://en.wikipedia.beta.wmflabs.org (1.33.0-alpha (278ac40) 23:37, 10 March 2019).

Work is ongoing for partial blocks, but I don't know if that is related.

Izno added a subscriber: Izno.Sun, May 5, 8:29 PM