Page MenuHomePhabricator

Admins blocked by User:Abuse filter cannot unblockself
Open, MediumPublic

Description

Administrators automatically blocked by an abuse filter (or any user with block rights) should be able to unblock themselves, even if they lack the unblockself right

Background:
In T150826: Remove unblockself right on wikimedia wikis (but allow blocked admins to block their blocker) unblockself was removed from admins on all WMF wikis. But this raises a potential problem: if an abuse filter is set up to block users on triggering, and it blocks an administrator, the administrator cannot unblock themselves.

See https://meta.wikimedia.org/w/index.php?title=Steward_requests/Miscellaneous&oldid=19373678#Unblock_DannyS712_on_mediawiki for an example of this happening.

Details

Related Gerrit Patches:

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 14 2019, 2:04 AM
DannyS712 claimed this task.EditedSep 14 2019, 2:07 AM
DannyS712 added a project: AbuseFilter.
DannyS712 added a subscriber: Daimona.

Proposed solution:
Users who blocked themselves or were blocked by the abuse filter automatically may unblock themselves without needing unblockself

Proposed implementation:
In SpecialBlock::checkUnblockSelf, after checking if the user is unblocking themselves, but before returning ipbblocked when they are not allowed to unblock themselves, run a new hook, UnblockUserCheckUnblockSelf, which, if it returns true, will allow the unblock to proceed; returning null or false will result in the unblock failing with the current code of ipbblocked.

Restricted Application added a project: User-DannyS712. · View Herald TranscriptSep 14 2019, 2:07 AM
DannyS712 updated the task description. (Show Details)Sep 14 2019, 2:09 AM

Given the addition of a hook that would allow circumventing current restrictions on unblocking self, tagging Core Platform Team for feature review

Ammarpad updated the task description. (Show Details)Sep 14 2019, 5:20 AM

This was shortly discussed in T150826, see T150826#4784526 and following comments. There are two main ways to circumvent this issue:
1 - And most important, check user_groups in abuse filters. That's like a golden rule. There'll always be new problems like this one if a filter isn't checking user groups. (I know that this time it happened during testing, but other than that, this should be the actual solution)
2 - Even then, blocked admins can use Special:AbuseFilter/revert to unblock themselves. That was probably not intended, so we may take it away in the near future.

But again, 1 should be the correct solution 99% of the times, without the need to create new hooks or sth like that.

eprodromou triaged this task as Medium priority.Sep 24 2019, 2:42 PM
eprodromou added a subscriber: eprodromou.

This seems like a pretty straightforward fix for an annoying bug for admins. From CPT side, we think it's a good idea to do, and we'll track its progress. Let me know if there's anything CPT can do to help in the process.

Change 551606 had a related patch set uploaded (by DannyS712; owner: DannyS712):
[mediawiki/core@master] Add UnblockUserUnblockSelf hook for allowing users to unblock self.

https://gerrit.wikimedia.org/r/551606

This seems like a pretty straightforward fix for an annoying bug for admins. From CPT side, we think it's a good idea to do, and we'll track its progress. Let me know if there's anything CPT can do to help in the process.

Can CPT please review the patch provided?