Page MenuHomePhabricator

API:Block should validate page restrictions
Closed, ResolvedPublic3 Estimated Story PointsBUG REPORT

Description

What is the problem?

You can submit a block via the API with a non-existent page.

The non-existent page is listed in the API response and in Special:Log?type=block. This is misleading as, even if someone created that page, the user would not be blocked from it. Nor is the user blocked from creating the page.

This might confuse admins as Special:Log might show that someone is blocked from a page even if they are not.

The entry for the page restriction in ipblocks_restrictions database table is 0.

To solve this, we should probably validate that the page exists. This is what we already do for namespace restrictions.

Steps to reproduce problem
  1. Use the API to submit a block with a non-existent page restriction (e.g. https://en.wikipedia.beta.wmflabs.org/wiki/Special:ApiSandbox#action=block&format=json&user=Drwpb&allowusertalk=1&partial=1&pagerestrictions=nonexistentpage).
  2. See pagerestrictions in the API response.
  3. Go to Special:Log?type=block to see block you just made (e.g. https://en.wikipedia.beta.wmflabs.org/wiki/Special:Log?type=block).

Expected behavior: When submitting the API request, some sort of validation error (e.g. Unrecognized value for parameter "namespacerestrictions": Nonexistentpage.
Observed behavior: Non-existent page is listed in API response and Special:Log.

Environment

Wiki(s): MediaWiki 1.36.0-alpha (fc4dffd) 09:10, 3 December 2020.

Screenshots (if applicable):

The API request and response:

submitapi.png (567×1 px, 50 KB)

The entry in Special:Log:
submitapispeciallog.png (34×1 px, 16 KB)

Event Timeline

Change 657798 had a related patch set uploaded (by ProcrastinatingReader; owner: ProcrastinatingReader):
[mediawiki/core@master] Validate page title for partial blocks

https://gerrit.wikimedia.org/r/657798

Ammarpad added a subscriber: Ammarpad.
Niharika set the point value for this task to 3.Mar 31 2021, 4:15 PM

Change 676290 had a related patch set uploaded (by STran; author: STran):

[mediawiki/core@master] Don't allow blocking on pages that don't exist

https://gerrit.wikimedia.org/r/676290

If an invalid title name is given to the api it fails also: Exception caught: "Call to a member function getArticleID() on null" on PageRestriction.php(114)
Invalid title is "In<valid"

Try:
https://en.wikipedia.beta.wmflabs.org/wiki/Special:ApiSandbox#action=block&format=json&user=Drwpb&allowusertalk=1&partial=1&pagerestrictions=nonexistentpage%7Cin%3Cvalid

Change 676290 merged by jenkins-bot:

[mediawiki/core@master] Don't allow blocking on pages that don't exist

https://gerrit.wikimedia.org/r/676290

Some warnings appeared on later changes, I found it related to this task.

23:19:51 Running "banana:core" (banana) task
23:19:57 >> 1 message lacks documentation in qqq.json.
23:19:57 >> Message "cant-block-nonexistent-page" lacks documentation in qqq.json.
23:19:57 Warning: Task "banana:core" failed. Use --force to continue.

Some warnings appeared on later changes, I found it related to this task.

23:19:51 Running "banana:core" (banana) task
23:19:57 >> 1 message lacks documentation in qqq.json.
23:19:57 >> Message "cant-block-nonexistent-page" lacks documentation in qqq.json.
23:19:57 Warning: Task "banana:core" failed. Use --force to continue.

https://gerrit.wikimedia.org/r/c/mediawiki/core/+/678099

I cannot reproduce the bug in the description. When I try to submit an API block with a nonexistent or deleted page, the API returns:

{
    "error": {
        "code": "cant-block-nonexistent-page",
        "info": "You cannot block a user from Nonexistentpage because the page does not exist",
        "*": "See https://en.wikipedia.beta.wmflabs.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at &lt;https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce&gt; for notice of API deprecations and breaking changes."
    },
    "servedby": "deployment-mediawiki11"
}

This is a fatal error, and blocks completion of the request. This is in contrast to trying to block a nonexistent namespace, which just returns a warning but otherwise completes the request (ignoring the nonexistent namespace).

I tested that otherwise I could still perform some of the actions I could before, such as blocking a single page, blocking a specific page in a custom namespace, partial block without page restrictions, etc.

The code change modifies a function used by both API:Block and Special:Block. We do not appear to see any difference with Special:Block, however, as OOUI was already checking that the page restrictions existed (even without JS).

That being said, I did do some regression testing of Special:Block (with and without JS) just in case.

Test Environment: https://en.wikipedia.beta.wmflabs.org MediaWiki 1.37.0-alpha (f61d37d) 18:48, 13 April 2021.

This is a fatal error, and blocks completion of the request. This is in contrast to trying to block a nonexistent namespace, which just returns a warning but otherwise completes the request (ignoring the nonexistent namespace).

From the Slack discussion, @Tchanders reckons the risk for disruption is quite low. We should start a task to fix this in the future for the sake of consistency, however. @dom_walden could you start a task for that? Thank you!

This is a fatal error, and blocks completion of the request. This is in contrast to trying to block a nonexistent namespace, which just returns a warning but otherwise completes the request (ignoring the nonexistent namespace).

From the Slack discussion, @Tchanders reckons the risk for disruption is quite low. We should start a task to fix this in the future for the sake of consistency, however. @dom_walden could you start a task for that? Thank you!

Raised T282574.