Page MenuHomePhabricator
Create Task
Maniphest T208862

Title::checkUserBlock should call User::isBlockedFrom for every action that requires unblock
Closed, ResolvedPublic
Actions

Description

Problem
in Title::checkUserBlock the title is not checked for a block if the action is not create or edit. This means other actions like move-subpages returns an error for partially blocked users.

$useSlave = ( $rigor !== 'secure' );
if ( ( $action == 'edit' || $action == 'create' )
	&& !$user->isBlockedFrom( $this, $useSlave )
) {
	// Don't block the user from editing their own talk page unless they've been
	// explicitly blocked from that too.
} elseif ( $user->isBlocked() && $user->getBlock()->prevents( $action ) !== false ) {
	// @todo FIXME: Pass the relevant context into this function.
	$errors[] = $user->getBlock()->getPermissionsError( RequestContext::getMain() );
}

return $errors;

This will return an error because $user->getBlock()->prevents( $action ) will return null

Solution
The code above should be replaced with:

$block = $user->getBlock( $useReplica );

// The block may explicitly allow an action (like "read" or "upload").
if ( $block && $block->prevents( $action ) === false ) {
  return $errors;
}

// Determine if the user is blocked from this action on this page.
try {
  // @todo FIXME: Pass the relevant context into this function.
  $action = Action::factory( $action, WikiPage::factory( $this ), RequestContext::getMain() );
} catch ( Exception $e ) {
  $action = null;
}

// If no action object is returned, assume that the action requires unblock
// which is the default.
if ( !$action || $action->requiresUnblock() ) {
  if ( $user->isBlockedFrom( $this, $useReplica ) ) {
    // @todo FIXME: Pass the relevant context into this function.
    $errors[] = $block
      ? $block->getPermissionsError( RequestContext::getMain() )
      : [ 'actionblockedtext' ];
  }
}

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Revert "Revert "Title::checkUserBlock should call User::isBlockedFrom for every action""mediawiki/coremaster+81 -12
Title::checkUserBlock should call User::isBlockedFrom for every actionmediawiki/coremaster+71 -12
Customize query in gerrit

Related Objects
Search...

Event Timeline

dbarratt created this task.Nov 6 2018, 3:47 PM
Restricted Application added subscribers: MGChecker, Aklapper. · View Herald TranscriptNov 6 2018, 3:47 PM
dbarratt updated the task description. (Show Details)Nov 6 2018, 3:50 PM
dbarratt updated the task description. (Show Details)
dbarratt merged a task: T205895: Title::checkUserBlock does not return an an error if User::isBlockedFrom() returns true and Block::prevents('edit') returns false.Nov 6 2018, 3:54 PM
dbarratt added parent tasks: T208857: A partially blocked user should be able to perform page moves on unrelated pages, T208273: Partially blocked users should be able to rename/move pages (outside their block).
dbarratt added a subscriber: Anomie.
gerritbot subscribed.Nov 6 2018, 4:04 PM

Change 471993 had a related patch set uploaded (by Dbarratt; owner: Dbarratt):
[mediawiki/core@master] Title::checkUserBlock should call User::isBlockedFrom for every action

https://gerrit.wikimedia.org/r/471993

gerritbot added a project: Patch-For-Review.Nov 6 2018, 4:04 PM
dbarratt updated the task description. (Show Details)Nov 6 2018, 4:05 PM
dbarratt edited projects, added Anti-Harassment-Team (AHT Sprint 32); removed Anti-Harassment-Team.
dbarratt moved this task from Ready to Review on the Anti-Harassment-Team (AHT Sprint 32) board.
dbarratt moved this task from Backlog to User blocking on the MediaWiki-User-management board.
dbarratt mentioned this in T208857: A partially blocked user should be able to perform page moves on unrelated pages.
dbarratt updated the task description. (Show Details)Nov 6 2018, 4:07 PM
Oshwah subscribed.Nov 6 2018, 4:56 PM
dbarratt mentioned this in T208919: Partially blocked users should be able to review pending changes for other pages.Nov 7 2018, 4:23 PM
dbarratt added a parent task: T208919: Partially blocked users should be able to review pending changes for other pages.
TBolliger triaged this task as High priority.Nov 7 2018, 5:20 PM
dbarratt added a parent task: T208560: If a user is partially blocked they should be able to perform rollback on unrelated pages.Nov 7 2018, 10:14 PM
dbarratt mentioned this in T208560: If a user is partially blocked they should be able to perform rollback on unrelated pages.
dbarratt claimed this task.Nov 8 2018, 4:40 PM
TBolliger moved this task from AHT Sprint 32 to AHT Sprint 33 on the Anti-Harassment-Team board.Nov 8 2018, 8:02 PM
TBolliger edited projects, added Anti-Harassment-Team (AHT Sprint 33); removed Anti-Harassment-Team (AHT Sprint 32).
TBolliger moved this task from Ready to Review on the Anti-Harassment-Team (AHT Sprint 33) board.Nov 8 2018, 8:04 PM
dbarratt added a parent task: T208968: Partially blocked users should be able to patrol edits for other pages.Nov 8 2018, 8:13 PM
TBolliger mentioned this in T208968: Partially blocked users should be able to patrol edits for other pages.Nov 9 2018, 6:52 PM
TBolliger mentioned this in T208274: Partially blocked admins should be able to protect & delete pages.Nov 9 2018, 6:54 PM
dbarratt removed a parent task: T208560: If a user is partially blocked they should be able to perform rollback on unrelated pages.Nov 12 2018, 2:59 PM
dbarratt removed a parent task: T208968: Partially blocked users should be able to patrol edits for other pages.Nov 12 2018, 3:08 PM
dbarratt moved this task from Review to In progress on the Anti-Harassment-Team (AHT Sprint 33) board.Nov 12 2018, 3:29 PM
dbarratt moved this task from In progress to Review on the Anti-Harassment-Team (AHT Sprint 33) board.Nov 12 2018, 4:37 PM
gerritbot added a comment.Nov 19 2018, 10:24 PM

Change 471993 merged by jenkins-bot:
[mediawiki/core@master] Title::checkUserBlock should call User::isBlockedFrom for every action

https://gerrit.wikimedia.org/r/471993

ReleaseTaggerBot added a project: MW-1.33-notes (1.33.0-wmf.6; 2018-11-27).Nov 19 2018, 11:01 PM
dbarratt closed this task as Resolved.Nov 19 2018, 11:30 PM
dbarratt moved this task from Review to Done on the Anti-Harassment-Team (AHT Sprint 33) board.
dbarratt mentioned this in T210953: Wikidata is editable for blocked users.Dec 3 2018, 12:41 AM
TBolliger reopened this task as Open.Dec 3 2018, 5:06 PM
TBolliger edited projects, added Anti-Harassment-Team (AHT Sprint 34); removed Anti-Harassment-Team (AHT Sprint 33).
Tchanders mentioned this in T211048: Audit classes that override Action::requiresUnblock method.Dec 3 2018, 7:50 PM
Tchanders subscribed.Dec 5 2018, 3:14 PM

Are we planning to reinstate this once T211048 is resolved?

TBolliger subscribed.Dec 5 2018, 5:49 PM
In T208862#4800441, @Tchanders wrote:

Are we planning to reinstate this once T211048 is resolved?

I imagine so — since we're fixing the side-effects and not altering this strategy. This patch fixes some important release blockers.

TBolliger edited projects, added Anti-Harassment-Team (AHT Sprint 35); removed Anti-Harassment-Team (AHT Sprint 34).Dec 5 2018, 8:06 PM
gerritbot added a comment.Dec 13 2018, 6:39 PM

Change 478056 had a related patch set uploaded (by Dbarratt; owner: Tchanders):
[mediawiki/core@master] Revert "Revert "Title::checkUserBlock should call User::isBlockedFrom for every action""

https://gerrit.wikimedia.org/r/478056

dbarratt moved this task from Ready to In progress on the Anti-Harassment-Team (AHT Sprint 35) board.Dec 17 2018, 7:18 PM
dbarratt mentioned this in T212341: Action authorization has multiple code paths to different results.Dec 19 2018, 9:10 PM
dbarratt moved this task from In progress to Review on the Anti-Harassment-Team (AHT Sprint 35) board.Dec 20 2018, 3:00 PM
TBolliger edited projects, added Anti-Harassment-Team (Alef — א); removed Anti-Harassment-Team (AHT Sprint 35).Jan 2 2019, 7:47 PM
TBolliger moved this task from Ready to Review on the Anti-Harassment-Team (Alef — א) board.
dbarratt updated the task description. (Show Details)Jan 4 2019, 12:38 AM
dbarratt updated the task description. (Show Details)Jan 4 2019, 3:53 PM
dbarratt added a comment.EditedJan 4 2019, 9:27 PM

I found a small problem in the patch. Since Title::userCan() and Title::getUserPermissionsErrors() expect the result of Action::getRestriction() not Action::getName() and since those two values do not have to be the same, constructing the action by name, rather than by restriction could have unexpected (overly restrictive) results.

The actions (in core) where this is the case are:

  • MarkpatrolledAction Name: markpatrolled Restriction: patrol
  • RevertAction Name: revert Restriction: upload

Since actions can only be loaded by name, and restrictions are what get passed into the method, this means these actions (or any other in extensions) will have the default value of true (i.e. a partial block will block the action).

There isn't a way to construct actions by a restriction. I was thinking we could add the actions to the service container, but that doesn't support tagging (or any other categorization mechanism) T212976. We could deprecate Action::getRestriction() and make a new, static method. That way we could loop through all of the action classes and create a map of restrictions to actions. If we are going to do that, we might as well do the same thing with Action::requiresUnblock() to avoid having to construct it at all. Or we could accept that when they do not match, that they will require unblocking. 😕

dbarratt added a subscriber: Tgr.EditedJan 4 2019, 11:26 PM

As @Tgr pointed out on the patch, this change does introduce a small inverted code flow.

The reason for this is because Action::checkCanExecute() makes a call to Title::getUserPermissionsErrors(). Then (with this patch) we are instantiating a new instance of the same Action that called this method in order to determine if the block should or should not affect the action that is being checked.

A "simple" solution to this problem would be to deprecated Action::requiresUnblock() and create a new static method. This way, metadata on the Action can be retrieved without having to instantiate a new instance of the action.

Alternatively, it would be better to resolve T212341 and create some sort of ActionPermission class that would contain the authorization checks for a particular action.

dbarratt renamed this task from Title::checkUserBlock should call User::isBlockedFrom for every action to Title::checkUserBlock should call User::isBlockedFrom for every action that requires unblock.Jan 5 2019, 12:18 AM
gerritbot added a comment.Jan 8 2019, 7:00 AM

Change 478056 merged by jenkins-bot:
[mediawiki/core@master] Revert "Revert "Title::checkUserBlock should call User::isBlockedFrom for every action""

https://gerrit.wikimedia.org/r/478056

ReleaseTaggerBot edited projects, added MW-1.33-notes (1.33.0-wmf.12; 2019-01-08); removed MW-1.33-notes (1.33.0-wmf.6; 2018-11-27).Jan 8 2019, 7:01 AM
dbarratt added a parent task: T213220: Title::checkUserBlock() should ensure the retrieved action matches the passed in restriction.Jan 8 2019, 9:06 PM
dbarratt closed this task as Resolved.Jan 8 2019, 9:16 PM
dbarratt moved this task from Review to Done on the Anti-Harassment-Team (Alef — א) board.
dbarratt mentioned this in T213738: Create a mechanism to get an Action by restriction.Jan 14 2019, 5:26 PM
Aklapper removed subscribers: TBolliger, Anomie.Oct 16 2020, 5:40 PM
Maintenance_bot removed a project: Patch-For-Review.Oct 16 2020, 6:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits