Page MenuHomePhabricator
Create Task
Maniphest T271113

ipblock-exempt permissions ignored on account creation
Closed, DuplicatePublic
Actions

Description

Steps to reproduce:

  • Be logged-in.
  • Have an account with the appropriate local or global permissions: createaccount, ipblock-exempt and globalblock-exempt (e.g. an account with sysop permissions).
  • Your IP address, or IP range is locally blocked with the "account creation disabled" flag on.
  • Now attempt to create an account for somebody else (that is, while logged with the privileged account) using Special:CreateAccount.

Actual results:
MediaWiki prevents the privileged account from creating that account for a third-party, and shows the "You're blocked" message. One would expect that at least the ipblock-exempt allowed this as well as editting (ipblock-exempt: "Bypass IP blocks, auto-blocks and range blocks").

Expected/Desired results:
MediaWiki allowed said user with the appropriate permissions to create that account for a third party.

Notes:

  • MediaWiki 1.36.0-wmf.22 (rMWf77db54ba502) --18:00, 21 December 2020.
  • CentralAuth: e162c98 -- 07:40, 14 December 2020.

Related Objects

Event Timeline

MarcoAurelio created this task.Jan 4 2021, 3:37 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 4 2021, 3:37 PM
Urbanecm added a comment.Jan 4 2021, 3:39 PM

I looked into this issue per @MarcoAurelio's request. Immediate cause is that https://en.wikipedia.org/w/api.php?action=query&format=json&list=users&ususers=Martin%20Urbanec%20(test%2015)&usprop=cancreate&formatversion=2&errorformat=html&errorsuselocal=true&uselang=en returns (while you're under a blocked IP, like a VPN at enwiki) "cancreate": false and "cancreateerror": [ { "code": "blocked", [...] }]. That means that the API module cancreate ignores ipblock-exempt and similar permissions for some reason.

MarcoAurelio edited projects, added MediaWiki-User-login-and-signup; removed MediaWiki-User-management.Jan 4 2021, 3:42 PM
MarcoAurelio added a comment.Jan 4 2021, 4:11 PM

Shall we tag with MediaWiki-Action-API as well?

Urbanecm added a comment.Jan 4 2021, 4:25 PM

https://github.com/wikimedia/mediawiki/blob/master/includes/auth/CheckBlocksSecondaryAuthenticationProvider.php#L80 seems to check blocked status on the "to be created" anonymous user, rather than the actual creator. I can't, however, find the breaking commit, all the changes to the code seem to be pretty old. I'll upload a fixing patch.

Ammarpad closed this task as a duplicate of T189362: ipblock-exempt does not allow account creation when blocked.Jan 4 2021, 4:41 PM
gerritbot added a comment.Jan 4 2021, 4:42 PM

Change 654273 had a related patch set uploaded (by Urbanecm; owner: Urbanecm):
[mediawiki/core@master] CheckBlocksSecondaryAuthenticationProvider: Check creator's permissions, not created user's permissions

https://gerrit.wikimedia.org/r/654273

gerritbot added a project: Patch-For-Review.Jan 4 2021, 4:42 PM
Urbanecm claimed this task.Jan 4 2021, 4:46 PM
Restricted Application added a project: User-Urbanecm. · View Herald TranscriptJan 4 2021, 4:46 PM
Urbanecm removed Urbanecm as the assignee of this task.Jan 4 2021, 4:47 PM
Base subscribed.Jan 8 2021, 7:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits