Page MenuHomePhabricator

Abusefilter: restricted action blockautopromotion is available, shouldn't be
Closed, InvalidPublicSecurity

Description

On enwiki, an admin was able to create a filter that would block autopromotion[1].
While admins do have abusefilter-modify-restricted rights, the ability to block autopromotion doesn't appear to be enabled on enwiki[2].

Tested on enwikiversity, which has no restricted actions enabled - was able to block autopromotion as well, but neither block nor rangeblock.[3]

[1] See filter history and noticeboard discussion
[2] See that enwiki doesn't enable it
[3] See https://en.wikiversity.org/wiki/Special:AbuseFilter/history/20

Details

Author Affiliation
Wikimedia Communities

Event Timeline

Restricted Application added projects: User-DannyS712, Security. · View Herald TranscriptFeb 13 2020, 1:08 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
DannyS712 changed Author Affiliation from N/A to Wikimedia Communities.Feb 13 2020, 1:09 AM
DannyS712 added a project: AbuseFilter.
DannyS712 moved this task from Unsorted to Abuse Filter on the User-DannyS712 board.
DannyS712 renamed this task from Abusefilter: Restricted actions checks failing to Abusefilter: restricted action blockautopromotion / degroup is available, shouldn't be.Feb 13 2020, 1:19 AM
DannyS712 updated the task description. (Show Details)
DannyS712 renamed this task from Abusefilter: restricted action blockautopromotion / degroup is available, shouldn't be to Abusefilter: restricted action blockautopromotion is available, shouldn't be.Feb 13 2020, 1:26 AM
DannyS712 updated the task description. (Show Details)Feb 13 2020, 1:31 AM

It looks like the only actions that are disabled by default are block, rangeblock, and degroup. The reason blockautopromote is available on enwiki is that no one's ever explicitly disabled it with $wgAbuseFilterActions['blockautopromote'] = false;, yes? The question is, do we need "community consenus" to get that line added, given that AFAIK no one has used that option in years on enwiki?

DannyS712 added a comment.EditedFeb 13 2020, 2:45 AM

...sorry, didn't see that those were different. I guess this isn't a security issue then?
I would suggest that it be disabled by default, like (range)block and degroup.

To avoid breaking wikis that currently use this, the following query can be used: (this can also be done via api by anyone with global af helper rights):

DB query
SELECT afa_filter
FROM abuse_filter_action
WHERE afa_consequence = 'blockautopromote'

Those wikis can then by individually reenabled

It looks like the only actions that are disabled by default are block, rangeblock, and degroup. The reason blockautopromote is available on enwiki is that no one's ever explicitly disabled it with $wgAbuseFilterActions['blockautopromote'] = false;, yes?

Exactly.

The question is, do we need "community consenus" to get that line added, given that AFAIK no one has used that option in years on enwiki?

I believe yes, but probably you don't need much participation.

...sorry, didn't see that those were different. I guess this isn't a security issue then?

Indeed. I'm going to close this as invalid and make it public.

I would suggest that it be disabled by default, like (range)block and degroup.

Not convinced by this one, I don't think it causes any harm to leave it enabled. OTOH, we may have to re-enable it later for whatever wiki wants to opt-in.

Daimona closed this task as Invalid.Feb 13 2020, 1:49 PM

I'm going to close this as invalid and make it public.

Huh, apparently I can't. @Aklapper could you do that, please? Thanks!

sbassett triaged this task as Lowest priority.Feb 13 2020, 3:26 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.