IPInfo: Blocked users can use IPInfo
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To

Authored By

	dom_walden
	Nov 6 2020, 2:04 PM

Description

What is the problem?

Blocked users can still use IPInfo.

I am guessing they should probably be blocked, like they are from, for example, using Special:Block.

Steps to reproduce problem

Give $user the ipinfo right
Block $user
Log in as $user and try to look up information for a log/revision

Expected behavior: User is blocked; cannot see IP information
Observed behavior: User can see IP information

Details

	Subject	Repo	Branch	Lines +/-
	Check if user is blocked before allowing IPInfo API access	mediawiki/extensions/IPInfo	master	+18 -3

Customize query in gerrit

Related Objects

Mentioned In: T263442: Display API failure errors in the IPInfo popup
Mentioned Here: T270778: Fix margins on error message widget inside popup

Event Timeline

dom_walden created this task.Nov 6 2020, 2:04 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 6 2020, 2:04 PM

Niharika moved this task from Untriaged to Triage/To be Estimated on the Anti-Harassment board.Nov 18 2020, 6:02 AM

Tchanders moved this task from Triage/To be Estimated to Cards ready for development on the Anti-Harassment board.Dec 22 2020, 7:13 PM

STran claimed this task.Dec 23 2020, 12:55 AM

STran moved this task from Cards ready for development to The Letter Song on the Anti-Harassment board.

STran edited projects, added Anti-Harassment (The Letter Song); removed Anti-Harassment.

STran moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment (The Letter Song) board.

Change 651679 had a related patch set uploaded (by STran; owner: STran):
[mediawiki/extensions/IPInfo@master] Check if user is blocked before allowing IPInfo API access

https://gerrit.wikimedia.org/r/651679

gerritbot added a project: Patch-For-Review.Dec 23 2020, 3:42 AM

STran moved this task from In Progress 💪 to Code Review 🔍 on the Anti-Harassment (The Letter Song) board.Dec 23 2020, 3:46 AM

If you attempt to view ip info while blocked, you should see this message now:

Thanks @STran - the margin issue you pointed out is filed as T270778.

@Niharika @Prtksxna This task returns an error message from the API if the admin has any kind of block. This needs to be done in case the user attempts to query the API directly and not via the UI. There are a few more questions about how IPInfo should behave for blocked admins:

Should an admin with a partial block be allowed to view the data?
Should a blocked admin not even see the popup buttons or infobox?
Should we reset the IPInfo preference for a blocked admin, effectively banning them from the feature (and log this, like any other time we ban an admin from the feature)?

We may want to file some follow-up tasks depending on these.

Change 651679 merged by jenkins-bot:
[mediawiki/extensions/IPInfo@master] Check if user is blocked before allowing IPInfo API access

https://gerrit.wikimedia.org/r/651679