Page MenuHomePhabricator

Blocked users can use Special:UserRights
Closed, ResolvedPublic

Description

  1. (User rights log); 02:18 . . MZMcBride (Talk | contribs | block) changed group membership for User:Bunnyrabbitholla! from (none) to Editors and Reviewers (testing)
  2. (Block log); 02:17 . . MZMcBride (Talk | contribs | block) blocked MZMcBride (Talk | contribs) with an expiry time of 10 minutes (autoblock disabled) (testing)

This seems rather silly. Blocked users should only be able to unblock themselves (if they have the appropriate right). Nothing else.


Version: unspecified
Severity: enhancement

Details

Reference
bz17014

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:24 PM
bzimport set Reference to bz17014.
bzimport added a subscriber: Unknown Object (MLST).

If a user can grant a flag with the block right, but for some reason doesn't have it (or any other flag with block) set on themselves and then gets blocked, what would they do then if they got "you are blocked" errors upon trying to give themselves the rights needed to lift the block?

matthew.britton wrote:

(In reply to comment #1)

If a user can grant a flag with the block right, but for some reason doesn't
have it (or any other flag with block) set on themselves and then gets blocked,
what would they do then if they got "you are blocked" errors upon trying to
give themselves the rights needed to lift the block?

Get someone else to unblock them?

Is there any reason to do this other than "this seems silly"?

If a user is blocked, presumably someone didn't want them making any actions on the wiki. A user could, for example, assign themselves +editor and then remove it from themselves with spam in the edit summaries. Or an insecure bureaucrat account that has been blocked but not yet had its rights removed could remove rights from other accounts.

If an account is blocked, it should be _blocked_. It should only be able to perform a very limited set of actions (really only being able to unblock itself) and that's it.

What is the point if he can unblock himself and then do the all actions again? What if someone blocks everybody else from using user rights?

herd wrote:

It is possible to have opt-in groups (as per test.wikipedia) whereby a user without block/unblock ability can manipulate user rights.

I suggest that anyone with access to UserRights via: $wgAddGroups $wgRemoveGroups $wgGroupsAddToSelf $wgGroupsRemoveFromSelf should be blocked from editing user rights if they are blocked.

Conversely, anyone with the 'userrights' permission should not be blocked from user rights if blocked, as this implies full access to all rights on the wiki (in theory). The reason is: having 'userrights' permission does not imply having 'block'. It is not uncommon for a 'bureaucrat' to not also be a 'sysop' (obviously does not apply to WMF projects, where bureaucrats don't have full access to userrights).

2 cents.

skizzerz wrote:

fixed in r52082