As we refactor SpecialBlock::processForm and SpecialUnblock::processUnblock into services, they will both need to be able to do the permission checks currently in SpecialBlock::checkUnblockSelf.
Therefore, we'll need a block permissions service that both the blocking and unblocking services can use.
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| Introduce BlockPermissionChecker service for validating block targets | mediawiki/core | master | +378 -46 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Tchanders | T264303 Use BlockUser service in SpecialInvestigateBlock | |||
| Resolved | Daimona | T248743 Call BlockUser in AbuseFilterRunner.php | |||
| Duplicate | Urbanecm | T264306 Use BlockUser service in GlobalBlocking | |||
| Resolved | Urbanecm | T250737 Special:Block should not play the role of a central blocking service/utility | |||
| Resolved | Urbanecm | T189073 Refactor logic for creating and logging a block out of SpecialBlock so it can be easily reused elsewhere | |||
| Resolved | Urbanecm | T250020 Refactor logic for doing and logging unblock out of SpecialUnblock so it can be easily reused elsewhere | |||
| Resolved | Urbanecm | T251861 Move SpecialBlock::checkUnblockSelf to a block permissions service |
Change 592287 had a related patch set uploaded (by Urbanecm; owner: Urbanecm):
[mediawiki/core@master] Introduce BlockValidator service for validating block targets
Change 592287 merged by jenkins-bot:
[mediawiki/core@master] Introduce BlockPermissionChecker service for validating block targets
Blocked admins can always block/unblock themselves (including editing their block), unless they have been blocked by someone else and do not have the unblockself right (which Administrators do not on enwiki).
Blocked admins can always block/unblock the admin who blocked them.
The only exception is if they are composite blocked. I think because composite blocks do not have a blocking admin, so the new function cannot do the comparison.
However, I believe an admin could only be composite blocked if they did not have the ipblock-exempt right, which I believe they all do on production.
Blocked admins cannot block/unblock other users, unless they are only partially blocked.
I mainly tested Special:Block and Special:Unblock (the same function is used for checking whether a user can block and unblock).
I did briefly test API:Block and API:Unblock, which as far as I saw behaved the same. Because the behaviour of the function only depends on the current user, their blocked status and the target of the block, it did not seem to matter from which place it was called.
It does not seem to have any associated hooks, and is only used in one extension (RegexBlock, which is not used on production anywhere I could see).
I tested this primarily on vagrant (MediaWiki 1.35.0-alpha (610f008)), because I only have one Admin user on beta, so I could only block myself.
To check that the logic behind when an admin can block/unblock has not changed I performed some of the same tests on testwiki, saw the same outcomes.
I believe this can now be closed? @dom_walden If you need a second admin account at beta, that shouldn't be a problem :-).