Page MenuHomePhabricator
Create Task
Maniphest T199993

Indef blocked users can get information exposed per mail
Closed, ResolvedPublic
Actions

Description

Steps to reproduce:

  1. You have a wiki (like arbcom-de, where this happened), where the configuration is set, that blocked users can't login. On this wiki we block former members, so that they don't have access anymore
  2. You copy a text from the real wiki, like dewiki, where one of the former members get mentioned (the former member is indef blocked)
  3. The former member recives a mail about the notification, where Information like the page titel etc. gets exposed

Expected behaviour / proposed solution:
When blocking accounts disallows login, then you should not recive mail for notification when blocked.

Details

SubjectRepoBranchLines +/-
Don't send email notifs to blocked users if $wgBlockDisablesLogin is truemediawiki/extensions/EchoREL1_29+11 -6
Don't send email notifs to blocked users if $wgBlockDisablesLogin is truemediawiki/extensions/EchoREL1_30+11 -6
Don't send email notifs to blocked users if $wgBlockDisablesLogin is truemediawiki/extensions/EchoREL1_27+11 -6
Don't send email notifs to blocked users if $wgBlockDisablesLogin is truemediawiki/extensions/EchoREL1_31+11 -6
Don't send email notifs to blocked users if $wgBlockDisablesLogin is truemediawiki/extensions/Echomaster+11 -6
Customize query in gerrit

Related Objects

Event Timeline

Luke081515 created this task.Jul 19 2018, 11:38 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 19 2018, 11:38 AM
Luke081515 added subscribers: Ghilt, Helfmann, Krd.Jul 19 2018, 11:40 AM
Luke081515 added projects: Notifications, MediaWiki-User-management.Jul 19 2018, 11:44 AM
Restricted Application added a project: Growth-Team. · View Herald TranscriptJul 19 2018, 11:44 AM
Luke081515 added a comment.Jul 19 2018, 6:02 PM

We are experiencing this problem on our arbcomwiki for de, that's why we are requesting as german arbcom to provide a quick fix please.

Luke081515 added a subscriber: Schiedsgericht.Jul 20 2018, 2:54 PM
Catrope moved this task from Inbox to Needs Discussion on the Growth-Team board.Aug 20 2018, 11:40 PM
Catrope added a subscriber: Growth-Team.
JTannerWMF moved this task from Needs Discussion to Upcoming Work on the Growth-Team board.Aug 22 2018, 5:58 PM
Jalexander added a project: Trust-and-Safety.Aug 22 2018, 10:05 PM
Jalexander moved this task from Backlog to Security/Privacy on the Trust-and-Safety board.
Jalexander subscribed.
Catrope subscribed.Aug 22 2018, 10:08 PM

Related: T54453: Accounts blocked on wikis with wgBlockDisablesLogin enabled should not continue to receive email notifications, which fixed exactly the same issue but only for enotif emails, not Echo emails.

Catrope added a subscriber: Reedy.Aug 22 2018, 10:14 PM

Proposed patch:

0001-Don-t-send-email-notifs-to-blocked-users-if-wgBlockD.patch1 KBDownload

@Reedy Mind if I have this ride along with T151910: Globally blocked users can still use Thanks for one consolidated security deploy after I get this reviewed?

Catrope mentioned this in T151910: Globally blocked users can still use Thanks.Aug 22 2018, 10:15 PM
Catrope edited projects, added Growth-Team (Sprint 0 (Growth Team)); removed Growth-Team.
Catrope moved this task from Incoming to Code Review on the Growth-Team (Sprint 0 (Growth Team)) board.
Ladsgroup subscribed.Aug 22 2018, 10:37 PM
In T199993#4525122, @Catrope wrote:

Proposed patch:

0001-Don-t-send-email-notifs-to-blocked-users-if-wgBlockD.patch1 KBDownload

@Reedy Mind if I have this ride along with T151910: Globally blocked users can still use Thanks for one consolidated security deploy after I get this reviewed?

Reviewing your patch:
One note:

+ ( $wgBlockDisablesLogin && $user->isBlocked() )

Can we add "|| $user->isBlockedGlobally()" to it? because isBlocked() returns none for globally blocked users and that's the whole reason we have T151910
Otherwise it looks good and I approve it

Catrope added a comment.Aug 22 2018, 11:14 PM

I don't think it would be correct to check isBlockedGlobally() in this case. Global blocks are IP-based, not user-based, and in the context where we're sending an email to a user we don't even have an IP to look at (or if we do, it's the IP of the user that caused the event, not the one that's receiving the notification).

SBisson assigned this task to Catrope.Aug 23 2018, 12:50 PM
kostajh subscribed.Aug 23 2018, 12:57 PM

@Catrope the patch looks good to me, and I agree with your point about isBlockedGlobally().

Ladsgroup added a comment.Aug 23 2018, 1:07 PM
In T199993#4525297, @Catrope wrote:

I don't think it would be correct to check isBlockedGlobally() in this case. Global blocks are IP-based, not user-based, and in the context where we're sending an email to a user we don't even have an IP to look at (or if we do, it's the IP of the user that caused the event, not the one that's receiving the notification).

I didn't know about this, thanks for clarification, +2 on my side.

Catrope changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 23 2018, 6:36 PM

Patch: https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/Echo/+/454881 (already deployed on the cluster)

gerritbot subscribed.Aug 23 2018, 7:02 PM

Change 454881 merged by jenkins-bot:
[mediawiki/extensions/Echo@master] Don't send email notifs to blocked users if $wgBlockDisablesLogin is true

https://gerrit.wikimedia.org/r/454881

Luke081515 added a subscriber: Der-Wir-Ing.Aug 23 2018, 7:27 PM
Catrope closed this task as Resolved.Aug 23 2018, 7:32 PM
ReleaseTaggerBot added a project: MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)).Aug 23 2018, 8:01 PM
gerritbot added a comment.Aug 23 2018, 8:28 PM

Change 454912 had a related patch set uploaded (by Reedy; owner: Catrope):
[mediawiki/extensions/Echo@REL1_31] Don't send email notifs to blocked users if $wgBlockDisablesLogin is true

https://gerrit.wikimedia.org/r/454912

gerritbot added a project: Patch-For-Review.Aug 23 2018, 8:28 PM

Change 454913 had a related patch set uploaded (by Reedy; owner: Catrope):
[mediawiki/extensions/Echo@REL1_30] Don't send email notifs to blocked users if $wgBlockDisablesLogin is true

https://gerrit.wikimedia.org/r/454913

gerritbot added a comment.Aug 23 2018, 8:29 PM

Change 454914 had a related patch set uploaded (by Reedy; owner: Catrope):
[mediawiki/extensions/Echo@REL1_27] Don't send email notifs to blocked users if $wgBlockDisablesLogin is true

https://gerrit.wikimedia.org/r/454914

gerritbot added a comment.Aug 23 2018, 8:30 PM

Change 454915 had a related patch set uploaded (by Reedy; owner: Catrope):
[mediawiki/extensions/Echo@REL1_29] Don't send email notifs to blocked users if $wgBlockDisablesLogin is true

https://gerrit.wikimedia.org/r/454915

gerritbot added a comment.Aug 23 2018, 9:14 PM

Change 454912 merged by jenkins-bot:
[mediawiki/extensions/Echo@REL1_31] Don't send email notifs to blocked users if $wgBlockDisablesLogin is true

https://gerrit.wikimedia.org/r/454912

gerritbot added a comment.Aug 23 2018, 9:19 PM

Change 454914 merged by jenkins-bot:
[mediawiki/extensions/Echo@REL1_27] Don't send email notifs to blocked users if $wgBlockDisablesLogin is true

https://gerrit.wikimedia.org/r/454914

gerritbot added a comment.Aug 23 2018, 10:25 PM

Change 454913 merged by jenkins-bot:
[mediawiki/extensions/Echo@REL1_30] Don't send email notifs to blocked users if $wgBlockDisablesLogin is true

https://gerrit.wikimedia.org/r/454913

matej_suchanek merged a task: T154152: Email notifications still going to users with blocked accounts on $wgBlockDisablesLogin private wikis.Sep 17 2018, 11:38 AM
matej_suchanek added subscribers: Krenair, jmatazzoni, Slaporte and 2 others.
gerritbot added a comment.Oct 9 2018, 5:16 PM

Change 454915 abandoned by Reedy:
Don't send email notifs to blocked users if $wgBlockDisablesLogin is true

Reason:
No one cares about REL1_29 anymore

https://gerrit.wikimedia.org/r/454915

chasemp added a project: Security.Feb 10 2020, 10:51 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:12 PM
Aklapper removed a subscriber: Growth-Team.May 16 2023, 10:22 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL