Page MenuHomePhabricator

Move SpecialBlock::checkUnblockSelf to a block permissions service
Closed, ResolvedPublic

Description

As we refactor SpecialBlock::processForm and SpecialUnblock::processUnblock into services, they will both need to be able to do the permission checks currently in SpecialBlock::checkUnblockSelf.

Therefore, we'll need a block permissions service that both the blocking and unblocking services can use.

Event Timeline

Change 592287 had a related patch set uploaded (by Urbanecm; owner: Urbanecm):
[mediawiki/core@master] Introduce BlockValidator service for validating block targets

https://gerrit.wikimedia.org/r/592287

Unittests added, this should be now ready to review

Change 592287 merged by jenkins-bot:
[mediawiki/core@master] Introduce BlockPermissionChecker service for validating block targets

https://gerrit.wikimedia.org/r/592287

dom_walden added a subscriber: dom_walden.

Blocked admins can always block/unblock themselves (including editing their block), unless they have been blocked by someone else and do not have the unblockself right (which Administrators do not on enwiki).

Blocked admins can always block/unblock the admin who blocked them.

The only exception is if they are composite blocked. I think because composite blocks do not have a blocking admin, so the new function cannot do the comparison.

However, I believe an admin could only be composite blocked if they did not have the ipblock-exempt right, which I believe they all do on production.

Blocked admins cannot block/unblock other users, unless they are only partially blocked.

I mainly tested Special:Block and Special:Unblock (the same function is used for checking whether a user can block and unblock).

I did briefly test API:Block and API:Unblock, which as far as I saw behaved the same. Because the behaviour of the function only depends on the current user, their blocked status and the target of the block, it did not seem to matter from which place it was called.

It does not seem to have any associated hooks, and is only used in one extension (RegexBlock, which is not used on production anywhere I could see).

I tested this primarily on vagrant (MediaWiki 1.35.0-alpha (610f008)), because I only have one Admin user on beta, so I could only block myself.

To check that the logic behind when an admin can block/unblock has not changed I performed some of the same tests on testwiki, saw the same outcomes.

I believe this can now be closed? @dom_walden If you need a second admin account at beta, that shouldn't be a problem :-).