Page MenuHomePhabricator

IPInfo: Blocked users can use IPInfo
Closed, ResolvedPublicBUG REPORT


What is the problem?

Blocked users can still use IPInfo.

I am guessing they should probably be blocked, like they are from, for example, using Special:Block.

Steps to reproduce problem
  1. Give $user the ipinfo right
  2. Block $user
  3. Log in as $user and try to look up information for a log/revision

Expected behavior: User is blocked; cannot see IP information
Observed behavior: User can see IP information

Event Timeline

Change 651679 had a related patch set uploaded (by STran; owner: STran):
[mediawiki/extensions/IPInfo@master] Check if user is blocked before allowing IPInfo API access

If you attempt to view ip info while blocked, you should see this message now:

Thanks @STran - the margin issue you pointed out is filed as T270778.

@Niharika @Prtksxna This task returns an error message from the API if the admin has any kind of block. This needs to be done in case the user attempts to query the API directly and not via the UI. There are a few more questions about how IPInfo should behave for blocked admins:

  • Should an admin with a partial block be allowed to view the data?
  • Should a blocked admin not even see the popup buttons or infobox?
  • Should we reset the IPInfo preference for a blocked admin, effectively banning them from the feature (and log this, like any other time we ban an admin from the feature)?

We may want to file some follow-up tasks depending on these.

Change 651679 merged by jenkins-bot:
[mediawiki/extensions/IPInfo@master] Check if user is blocked before allowing IPInfo API access

Bypassing QA since we'll likely do more work on this, so can test then