Page MenuHomePhabricator
Create Task
Maniphest T209097

FormSpecialPage::checkExecutePermissions should only block a FormSpecialPage if the user is sitewide blocked
Closed, ResolvedPublic3 Estimated Story Points
Actions

Description

Problem
If a special form page (like Special:Block) extends FormSpecialPage then users who are partially blocked are also blocked from that Special page.

if ( $this->requiresUnblock() && $user->isBlocked() ) {
  $block = $user->getBlock();
  throw new UserBlockedError( $block );
}

Solution
This should be changed to something like:

if ( $this->requiresUnblock() ) {
  $block = $user->getBlock();
  if ( $block && $block->isSitewide() ) {
    throw new UserBlockedError( $block );
  }
}

Affected Special Pages

Important to fix, release blocker for Commons:

Should fix eventually:

I have no idea what these are, and they're not on EN or IT Wikipedia. Maybe never fix:

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Block Special pages only if the user is sitewide blockedmediawiki/coremaster+94 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

dbarratt created this task.Nov 8 2018, 7:55 PM
Restricted Application added subscribers: MGChecker, Aklapper. · View Herald TranscriptNov 8 2018, 7:55 PM
dbarratt added a parent task: T208965: Partially blocked admins should be able to access Special:Block.Nov 8 2018, 7:55 PM
TBolliger moved this task from Untriaged to Product/Tech backlog on the Anti-Harassment-Team board.Nov 8 2018, 8:25 PM
TBolliger moved this task from Backlog to User blocking on the MediaWiki-User-management board.
TBolliger subscribed.EditedNov 9 2018, 12:31 AM

Here are the Special Pages that I found that display the "User is blocked" message if a user is partially blocked:

Important to fix, release blocker for Commons:

Should fix eventually:

I have no idea what these are, and they're not on EN or IT Wikipedia. Maybe never fix:

dbarratt updated the task description. (Show Details)Nov 12 2018, 3:10 PM
dbarratt updated the task description. (Show Details)
TBolliger moved this task from Product/Tech backlog to Snackbox on the Anti-Harassment-Team board.Nov 16 2018, 3:45 PM
TBolliger moved this task from Snackbox to Triage/To be Estimated on the Anti-Harassment-Team board.Nov 16 2018, 3:48 PM
TBolliger added a comment.Nov 19 2018, 9:26 PM

@dbarratt — will the fixes to all of these be the same, or should I break these into prioritized other Phab tasks?

TBolliger triaged this task as Low priority.Nov 19 2018, 9:57 PM
TBolliger added a subtask: T203821: After QA, enable Partial Blocks MVP on test.wikipedia.org and test.wikidata.org.
TBolliger closed subtask T203821: After QA, enable Partial Blocks MVP on test.wikipedia.org and test.wikidata.org as Resolved.Nov 19 2018, 10:00 PM
TBolliger updated the task description. (Show Details)Nov 29 2018, 6:20 PM
dmaza updated the task description. (Show Details)Dec 5 2018, 11:26 PM
TBolliger updated the task description. (Show Details)Jan 23 2019, 5:25 PM

AbuseLog was fixed but the others are not. Just verified on Test Wiki.

TBolliger moved this task from Triage/To be Estimated to Cards ready for development on the Anti-Harassment-Team board.Jan 23 2019, 7:31 PM
TBolliger set the point value for this task to 3.
TBolliger mentioned this in T209662: Partially blocked admins should be able to restore revisions of deleted pages.Jan 23 2019, 7:33 PM
TBolliger mentioned this in T208965: Partially blocked admins should be able to access Special:Block.
TBolliger moved this task from Cards ready for development to Dalet — ד on the Anti-Harassment-Team board.Feb 13 2019, 5:31 PM
TBolliger edited projects, added Anti-Harassment-Team (Dalet — ד); removed Anti-Harassment-Team.
dbarratt claimed this task.Feb 21 2019, 5:44 PM
dbarratt moved this task from Ready to In progress on the Anti-Harassment-Team (Dalet — ד) board.
gerritbot subscribed.Feb 21 2019, 5:57 PM

Change 492010 had a related patch set uploaded (by Dbarratt; owner: Dbarratt):
[mediawiki/core@master] Only block Special pages if the user is sitewide blocked.

https://gerrit.wikimedia.org/r/492010

gerritbot added a project: Patch-For-Review.Feb 21 2019, 5:58 PM
dbarratt moved this task from In progress to Review on the Anti-Harassment-Team (Dalet — ד) board.Feb 26 2019, 5:15 PM
Tchanders subscribed.Feb 27 2019, 1:54 PM

@TBolliger The patch addresses all pages in your list except for AbuseLog and UploadWizard, since they extend SpecialPage, instead of FormSpecialPage. It sounds like AbuseLog is already working. It looks like UploadWizard should be fixed in SpecialUploadWizard::isUserUploadAllowed.

The patch also affects any special pages that extend the class FormSpecialPage and don't override requiresUnblock or checkExecutePermissions. From a cursory glance through the classes in this list on codesearch, that's quite a few special pages. Partially blocked users would now be able to access all such pages (assuming they have the right permissions). Is that OK?

One more thing - after the patch, in order to block someone from any of these special pages, the admin would have to apply a sitewide block now, since it's not possible to specify special pages in a partial block. Is that acceptable?

TBolliger added a comment.Feb 27 2019, 3:35 PM
In T209097#4987919, @Tchanders wrote:

@TBolliger The patch addresses all pages in your list except for AbuseLog and UploadWizard, since they extend SpecialPage, instead of FormSpecialPage. It sounds like AbuseLog is already working. It looks like UploadWizard should be fixed in SpecialUploadWizard::isUserUploadAllowed.

Good deal — sounds like we need a new Phab task to address SpecialUploadWizard::isUserUploadAllowed ?

The patch also affects any special pages that extend the class FormSpecialPage and don't override requiresUnblock or checkExecutePermissions. From a cursory glance through the classes in this list on codesearch, that's quite a few special pages. Partially blocked users would now be able to access all such pages (assuming they have the right permissions). Is that OK?

Yes, perfect. Partial blocks should not prohibit the PB'd user from utilizing any Special: pages (except for Special:MovePage on pages defined within the PB.)

One more thing - after the patch, in order to block someone from any of these special pages, the admin would have to apply a sitewide block now, since it's not possible to specify special pages in a partial block. Is that acceptable?

Yes, 100% acceptable and as designed. Thank you for double checking!

dbarratt added a comment.Feb 27 2019, 4:09 PM
In T209097#4988170, @TBolliger wrote:

Good deal — sounds like we need a new Phab task to address SpecialUploadWizard::isUserUploadAllowed ?

That would be fantastic.

TBolliger added a comment.EditedFeb 27 2019, 4:11 PM
In T209097#4988294, @dbarratt wrote:
In T209097#4988170, @TBolliger wrote:

Good deal — sounds like we need a new Phab task to address SpecialUploadWizard::isUserUploadAllowed ?

That would be fantastic.

On it!

Done: T217255: Partially blocked users should be allowed to use Special:UploadWizard

TBolliger mentioned this in T217255: Partially blocked users should be allowed to use Special:UploadWizard.Feb 27 2019, 4:30 PM
TBolliger edited projects, added Anti-Harassment-Team (He — ה); removed Anti-Harassment-Team (Dalet — ד).Feb 27 2019, 8:01 PM
TBolliger moved this task from Ready to Review on the Anti-Harassment-Team (He — ה) board.
gerritbot added a comment.Mar 5 2019, 11:03 PM

Change 492010 merged by jenkins-bot:
[mediawiki/core@master] Block Special pages only if the user is sitewide blocked

https://gerrit.wikimedia.org/r/492010

dbarratt moved this task from Review to QA/Testing on the Anti-Harassment-Team (He — ה) board.Mar 5 2019, 11:04 PM
ReleaseTaggerBot added a project: MW-1.33-notes (1.33.0-wmf.21; 2019-03-12).Mar 6 2019, 12:00 AM
dom_walden subscribed.Mar 11 2019, 1:36 PM

On beta, I cannot create an account from an IP that is blocked from creating accounts, even if my user has "ipblock-exempt".

This looks like the same bug as T189362 (which was raised on 10th March 2018). However, I could not reproduce the bug on test.

Beta: 1.33.0-alpha (278ac40) 23:37, 10 March 2019
Test: 1.33.0-wmf.20 (rMWf929e2a50696) 23:04, 6 March 2019

@dbarratt Might it be related to work the team has done recently?

dbarratt added a comment.Mar 11 2019, 2:36 PM

@dom_walden What error message do you get?

dom_walden added a comment.Mar 12 2019, 8:38 AM
In T209097#5015334, @dbarratt wrote:

@dom_walden What error message do you get?

More or less the same as in T189362. You are shown the account creation form, but get a message when you type something in the Username field. Same message shows, above the form, if you try to submit.

ac_message.png (851×390 px, 45 KB)

For this block:

block_ac.png (151×1 px, 16 KB)

dom_walden added a comment.Mar 13 2019, 5:22 PM

@TBolliger Special:MassMessage does not seem to respect blocks (partial or sitewide). For example, if you are blocked from someone's user_talk page you can still send a message to it.

It would require someone who is blocked also having the massmessage right. Unlikely to be given to a user who is sitewide blocked, but could happen if they are only partially blocked.

Separate bug?

Also, are we concerned about Special:StructuredDiscussions considering it is a beta feature?

I ask because I see some unusual behaviour. A blocked user can post to a structured discussion, but not use the "thank" function (possibly because they are blocked from sending email; I have no idea). I am not sure if it is worth following up.

TBolliger added a comment.Mar 13 2019, 5:47 PM
In T209097#5021714, @dom_walden wrote:

@TBolliger Special:MassMessage does not seem to respect blocks (partial or sitewide). For example, if you are blocked from someone's user_talk page you can still send a message to it.

It would require someone who is blocked also having the massmessage right. Unlikely to be given to a user who is sitewide blocked, but could happen if they are only partially blocked.

Separate bug?

Yes, this seems like an extremely rare edge case. We can file to just have it on the MediaWiki-User-management board, but I don't think it's worth AHT's time to address.

Also, are we concerned about Special:StructuredDiscussions considering it is a beta feature?

I ask because I see some unusual behaviour. A blocked user can post to a structured discussion, but not use the "thank" function (possibly because they are blocked from sending email; I have no idea). I am not sure if it is worth following up.

Let's wait on making any further changes to Structured Discussions, as the 2019 Talk Page Consultation may illuminate the future direction of that product.

TBolliger edited projects, added Anti-Harassment-Team (Vav — ו); removed Anti-Harassment-Team (He — ה).Mar 13 2019, 7:06 PM
TBolliger moved this task from Ready to QA/Testing on the Anti-Harassment-Team (Vav — ו) board.
dom_walden added a comment.Mar 19 2019, 8:44 AM

Tested in this bug:

ActionBlockOutcome
Special:EmailUserUser partial (send)Can send
Special:EmailUserIP partial (send)Cannot send
Special:EmailUserCookie partial (send)Cannot send
Special:EmailUserUser partial (nosend)Blocked
Special:EmailUserIP partial (nosend)Cannot send
Special:EmailUserCookie partial (nosend)Cannot send
Special:PasswordResetUser partialSuccess
Special:PasswordResetIP partialSuccess (for User)
Special:PasswordResetCookie partialSuccess
Special:PasswordResetUser sitewideBlocked
Special:PasswordResetIP sitewideBlocked
Special:PasswordResetCookie sitewideBlocked
Special:UploadUser partial (blocked from File ns)Blocked (on submission)
Special:UploadUser partial (not blocked File ns)Success
Special:UploadUser sitewideBlocked on access
Special:AbuseLogUser partialCan view logs and search
Special:AbuseLogUser sitewideCan view logs and search
Special:BotPasswordsUser sitewideBlocked on access
Special:BotPasswordsUser partial (non-admin user)Can create bot p/w

Also in this bug (T209097#5021714)

  • Special:MassMessage
  • Special:StructuredDiscussions

Elsewhere (T211621) I tested:

  • Special:UserLogin
  • Special:PasswordReset
  • Special:ChangeCredentials

I will test Special:UploadWizard in T217255.

The only thing outstanding is T209097#5015139, if @dbarratt would like me to raise it as a separate bug.

Niharika edited projects, added Anti-Harassment-Team (Zayin - ז); removed Anti-Harassment-Team (Vav — ו).Mar 27 2019, 6:52 PM
Tchanders moved this task from Ready to QA/Testing on the Anti-Harassment-Team (Zayin - ז) board.Mar 27 2019, 6:54 PM
dom_walden moved this task from QA/Testing to Done on the Anti-Harassment-Team (Zayin - ז) board.Apr 1 2019, 1:02 PM
In T209097#5035130, @dom_walden wrote:

The only thing outstanding is T209097#5015139, if @dbarratt would like me to raise it as a separate bug.

As this is already raised as T189362, I will just move this on.

dbarratt added a comment.Apr 1 2019, 1:38 PM
In T209097#5073904, @dom_walden wrote:

As this is already raised as T189362, I will just move this on.

Thanks! sorry I hadn't had a chance to circle back to it. :)

dbarratt closed this task as Resolved.Apr 4 2019, 7:26 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits