Page MenuHomePhabricator

Users with partial access to change user rights should not be blocked with a partial block
Closed, ResolvedPublic

Description

Problem
Partial blocks should not prevent admins from changing user rights, if they have permission to do so.

Proposed Solution
Allow partially blocked users to change user rights.

Event Timeline

dbarratt created this task.Jul 19 2019, 5:37 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptJul 19 2019, 5:37 PM

Change 524568 had a related patch set uploaded (by Dbarratt; owner: Dbarratt):
[mediawiki/core@master] Users with partial access to user rights should not be blocked

https://gerrit.wikimedia.org/r/524568

Tchanders added a comment.EditedJul 22 2019, 6:02 PM

Example for reviewing/testing/product input

This change affects users who do not have the 'userrights' right, but who are affected by $wgAddGroups, $wgRemoveGroups, $wgGroupsAddToSelf and/or $wgGroupsRemoveFromSelf, e.g. a sysop on a wiki with the following config:

$wgGroupPermissions['beaurocrat']['userrights'] = true;
$wgGroupPermissions['sysop']['userrights'] = false;
$wgGroupsAddToSelf['sysop'] = [ 'bot' ];
$wgGroupsRemoveFromSelf['sysop'] = [ 'bot' ];
$wgAddGroups['sysop'] = [ 'bot' ];
$wgRemoveGroups['sysop'] = [ 'bot' ];

Before this task, if a beaurocrat or sysop (on a wiki with these example configs) attempts to add/remove the 'bot' group to any user, via Special:UserRights or the API:

Not blockedPartially blockedSitewide blocked
beaurocratSuccessSuccessSuccess
sysopSuccessBlocked errorBlocked error

Afterwards - at least according to https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/524568/1 - a partially blocked sysop (on a wiki with these example configs) will be able to add/remove the 'bot' group to any user.

DannyS712 added a subscriber: DannyS712.EditedJul 22 2019, 6:18 PM

The default $wgAddGroups for wikimedia sites specifies:

'default' => [
	'bureaucrat' => [ 'accountcreator', 'sysop', 'interface-admin', 'bureaucrat', 'bot', 'confirmed' ],
	'sysop' => [ 'ipblock-exempt' ],
],

Wouldn't this change mean that a partially blocked bureaucratic, who cannot unblock themselves, can give an alternative account +bureaucrat (or just +sysop) and then use that account to unblock themselves?

@Niharika @SPoore Do you have any thoughts about @DannyS712's example?

Wouldn't this change mean that a partially blocked bureaucratic, who cannot unblock themselves, can give an alternative account +bureaucrat (or just +sysop) and then use that account to unblock themselves?

Yes. But why are they being partially blocked in the first place? Is it to prevent them from doing their day-to-day admin tasks? or is it to prevent them from editing an article, sending emails, or participating in a discussion?

Wouldn't this change mean that a partially blocked bureaucratic, who cannot unblock themselves, can give an alternative account +bureaucrat (or just +sysop) and then use that account to unblock themselves?

Yes. But why are they being partially blocked in the first place? Is it to prevent them from doing their day-to-day admin tasks? or is it to prevent them from editing an article, sending emails, or participating in a discussion?

If an admin or crat is partially blocked to prevent them from editing an article, I assume it would be because they can't be trusted to avoid the article on their own. This can be circumvented by allowing editing of user rights - if the page was template-protected, you can make your alt a template-editor (on enwiki). If it is fully protected, you can make your alt a sysop. I don't think that a crat that needs to be blocked should be allowed to edit user rights, since that can be used to circumvent the block, and if they needed to be blocked, they may no longer have the trust of the community and shouldn't be able to exercise this power

@DannyS712 We discussed this within the team and it seems like this is a very narrow edge case. Partial blocks are for general users. I think if the situation requires an admin to be partially-blocked, they should probably not be an admin in the first place.

@DannyS712 We discussed this within the team and it seems like this is a very narrow edge case. Partial blocks are for general users. I think if the situation requires an admin to be partially-blocked, they should probably not be an admin in the first place.

I agree, which is why I am wondering why a partially-blocked admin should still have some admin abilities (like access to user rights)

dbarratt updated the task description. (Show Details)Jul 23 2019, 9:44 PM

@DannyS712 We discussed this within the team and it seems like this is a very narrow edge case. Partial blocks are for general users. I think if the situation requires an admin to be partially-blocked, they should probably not be an admin in the first place.

I agree, which is why I am wondering why a partially-blocked admin should still have some admin abilities (like access to user rights)

If an admin is partially blocked from editing a given page (say because of a conflict of interest), I don't see why that should prevent them from carrying out their administrative duties. Essentially I prefer to err on the side of maintaining good faith until we come across a case in the wild about this being actually misused. I am sure handing out template-editor or sysop rights isn't something that's done without any scrutiny.
Let's go ahead with this change and re-assess if we see misuse.
Thanks a lot for highlighting the issue @DannyS712. It provided a helpful perspective and we'll keep a watchful eye out.

Change 524568 merged by jenkins-bot:
[mediawiki/core@master] Users with partial access to user rights should not be blocked

https://gerrit.wikimedia.org/r/524568

dom_walden added a subscriber: dom_walden.
Not blockedPartially blockedSitewide blocked
beaurocratSuccessSuccessSuccess
sysopSuccessBlocked errorBlocked error

Now, with a user block:

Not blockedPartially blockedSitewide blocked
beaurocrat (locally)SuccessSuccessSuccess
sysop (on beta)SuccessSuccessBlocked error

For the actions of adding and removing groups from myself and another user.

Also tested removing a group from someone else via the API as sysop (with partial and sitewide block).

With an IP block (on beta):

Not blockedPartially blockedSitewide blocked
Event coordinatorSuccessSuccessBlocked

Event Coordinator does not have 'userrights' or 'ipblock-exempt'; can add to group "Confirmed users".

Tested composite blocks as Event Coordinator:

  • autoblock IP + sitewide IP
  • partial IP + sitewide range

Also tested API as Event Coordinator:

  • partial IP + sitewide range
  • partial IP + partial range

I did not test other types of blocks such as system, cookie or hidden blocks.

Did not see any errors on beta logs.

dbarratt closed this task as Resolved.Jul 29 2019, 5:08 PM