API:Block should validate page restrictions
Closed, ResolvedPublic3 Estimated Story PointsBUG REPORT
Actions

Assigned To

Authored By

	dom_walden
	Dec 3 2020, 10:08 AM

Description

What is the problem?

You can submit a block via the API with a non-existent page.

The non-existent page is listed in the API response and in Special:Log?type=block. This is misleading as, even if someone created that page, the user would not be blocked from it. Nor is the user blocked from creating the page.

This might confuse admins as Special:Log might show that someone is blocked from a page even if they are not.

The entry for the page restriction in ipblocks_restrictions database table is 0.

To solve this, we should probably validate that the page exists. This is what we already do for namespace restrictions.

Steps to reproduce problem

Use the API to submit a block with a non-existent page restriction (e.g. https://en.wikipedia.beta.wmflabs.org/wiki/Special:ApiSandbox#action=block&format=json&user=Drwpb&allowusertalk=1&partial=1&pagerestrictions=nonexistentpage).
See pagerestrictions in the API response.
Go to Special:Log?type=block to see block you just made (e.g. https://en.wikipedia.beta.wmflabs.org/wiki/Special:Log?type=block).

Expected behavior: When submitting the API request, some sort of validation error (e.g. Unrecognized value for parameter "namespacerestrictions": Nonexistentpage.
Observed behavior: Non-existent page is listed in API response and Special:Log.

Environment

Wiki(s): MediaWiki 1.36.0-alpha (fc4dffd) 09:10, 3 December 2020.

Screenshots (if applicable):

The API request and response:

The entry in Special:Log:

Details

	Subject	Repo	Branch	Lines +/-
	Don't allow blocking on pages that don't exist	mediawiki/core	master	+76 -2
	Validate page title for partial blocks	mediawiki/core	master	+13 -3

Customize query in gerrit

Related Objects

Mentioned In: T279689: PageRestriction should handle invalid titles
Mentioned Here: T282574: API:Block invalid page restriction should return warning rather than fatal error
rMWf61d37d85937: Merge "mediawiki.ui: Remove unnecessary VForm and other properties"
rMWfc4dffda6b68: Merge "Migrate categorylinks to abstract schema"

Event Timeline

dom_walden created this task.Dec 3 2020, 10:08 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 3 2020, 10:08 AM

JJMC89 moved this task from Backlog to Partial blocks on the MediaWiki-Blocks board.Dec 3 2020, 4:40 PM

Ammarpad claimed this task.Dec 7 2020, 9:22 AM

Change 657798 had a related patch set uploaded (by ProcrastinatingReader; owner: ProcrastinatingReader):
[mediawiki/core@master] Validate page title for partial blocks

https://gerrit.wikimedia.org/r/657798

gerritbot added a project: Patch-For-Review.Jan 22 2021, 12:39 PM

Ammarpad removed Ammarpad as the assignee of this task.Jan 29 2021, 3:01 PM

Ammarpad subscribed.

Niharika added a project: Anti-Harassment.Mar 24 2021, 12:42 PM

Niharika moved this task from Untriaged to Triage/To be Estimated on the Anti-Harassment board.

Niharika set the point value for this task to 3.Mar 31 2021, 4:15 PM

Niharika moved this task from Triage/To be Estimated to Cards ready for development on the Anti-Harassment board.Mar 31 2021, 4:18 PM

Niharika moved this task from Cards ready for development to The Letter Song on the Anti-Harassment board.Mar 31 2021, 4:54 PM

Niharika edited projects, added Anti-Harassment (The Letter Song); removed Anti-Harassment.

STran claimed this task.Apr 1 2021, 8:54 AM

Change 676290 had a related patch set uploaded (by STran; author: STran):

[mediawiki/core@master] Don't allow blocking on pages that don't exist

https://gerrit.wikimedia.org/r/676290

STran moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment (The Letter Song) board.Apr 1 2021, 8:57 AM

STran moved this task from In Progress 💪 to Code Review 🔍 on the Anti-Harassment (The Letter Song) board.Apr 1 2021, 10:12 AM

Ammarpad unsubscribed.Apr 1 2021, 3:49 PM

If an invalid title name is given to the api it fails also: Exception caught: "Call to a member function getArticleID() on null" on PageRestriction.php(114)
Invalid title is "In<valid"

Try:
https://en.wikipedia.beta.wmflabs.org/wiki/Special:ApiSandbox#action=block&format=json&user=Drwpb&allowusertalk=1&partial=1&pagerestrictions=nonexistentpage%7Cin%3Cvalid

Tchanders moved this task from Code Review 🔍 to QA/Testing 🐞 on the Anti-Harassment (The Letter Song) board.Apr 8 2021, 3:24 PM

Change 676290 merged by jenkins-bot:

[mediawiki/core@master] Don't allow blocking on pages that don't exist

https://gerrit.wikimedia.org/r/676290

ReleaseTaggerBot added a project: MW-1.37-notes (1.37.0-wmf.1; 2021-04-13).Apr 8 2021, 4:00 PM

STran mentioned this in T279689: PageRestriction should handle invalid titles.Apr 8 2021, 4:17 PM

Some warnings appeared on later changes, I found it related to this task.

23:19:51 Running "banana:core" (banana) task
23:19:57 >> 1 message lacks documentation in qqq.json.
23:19:57 >> Message "cant-block-nonexistent-page" lacks documentation in qqq.json.
23:19:57 Warning: Task "banana:core" failed. Use --force to continue.

In T269341#6987805, @Func wrote:

Some warnings appeared on later changes, I found it related to this task.

23:19:51 Running "banana:core" (banana) task
23:19:57 >> 1 message lacks documentation in qqq.json.
23:19:57 >> Message "cant-block-nonexistent-page" lacks documentation in qqq.json.
23:19:57 Warning: Task "banana:core" failed. Use --force to continue.

https://gerrit.wikimedia.org/r/c/mediawiki/core/+/678099

I cannot reproduce the bug in the description. When I try to submit an API block with a nonexistent or deleted page, the API returns:

{
    "error": {
        "code": "cant-block-nonexistent-page",
        "info": "You cannot block a user from Nonexistentpage because the page does not exist",
        "*": "See https://en.wikipedia.beta.wmflabs.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at &lt;https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce&gt; for notice of API deprecations and breaking changes."
    },
    "servedby": "deployment-mediawiki11"
}

This is a fatal error, and blocks completion of the request. This is in contrast to trying to block a nonexistent namespace, which just returns a warning but otherwise completes the request (ignoring the nonexistent namespace).

I tested that otherwise I could still perform some of the actions I could before, such as blocking a single page, blocking a specific page in a custom namespace, partial block without page restrictions, etc.

The code change modifies a function used by both API:Block and Special:Block. We do not appear to see any difference with Special:Block, however, as OOUI was already checking that the page restrictions existed (even without JS).

That being said, I did do some regression testing of Special:Block (with and without JS) just in case.

Test Environment: https://en.wikipedia.beta.wmflabs.org MediaWiki 1.37.0-alpha (f61d37d) 18:48, 13 April 2021.

This is a fatal error, and blocks completion of the request. This is in contrast to trying to block a nonexistent namespace, which just returns a warning but otherwise completes the request (ignoring the nonexistent namespace).

From the Slack discussion, @Tchanders reckons the risk for disruption is quite low. We should start a task to fix this in the future for the sake of consistency, however. @dom_walden could you start a task for that? Thank you!

Func unsubscribed.Apr 16 2021, 3:16 PM

In T269341#6998282, @Niharika wrote:

This is a fatal error, and blocks completion of the request. This is in contrast to trying to block a nonexistent namespace, which just returns a warning but otherwise completes the request (ignoring the nonexistent namespace).

From the Slack discussion, @Tchanders reckons the risk for disruption is quite low. We should start a task to fix this in the future for the sake of consistency, however. @dom_walden could you start a task for that? Thank you!

Raised T282574.

Tchanders closed this task as Resolved.May 11 2021, 8:28 PM

Tchanders merged a task: T213837: Creating a Partial Block with page restrictions through the API allows for non-existing Titles resulting in ipblocks_restrictions.ir_value = 0.Jan 10 2022, 3:12 PM

Tchanders added subscribers: dmaza, 1234qwer1234qwer4, DannyS712 and 2 others.

API:Block should validate page restrictionsClosed, ResolvedPublic3 Estimated Story PointsBUG REPORTActions