Page MenuHomePhabricator
Create Task
Maniphest T292932

urlshortener-blocked on bot account with global-ipblock-exempt
Open, Needs TriagePublicBUG REPORT
Actions

Description

List of steps to reproduce (step by step, including full links if applicable):

{"error":{"code":"urlshortener-blocked","info":"Blocked users can't make short URLs.","*":"See https://meta.wikimedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/> for notice of API deprecations and breaking changes."},"servedby":"mwXXXX"}

What happens?:
Extension denies the access to the feature altough the user has the global-ipblock-exempt permission.

What should have happened instead?:
Extension should give access to the feature to the authenticated user with the global-ipblock-exempt permission.

Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc:
N/A

Related Objects

Event Timeline

MarioFinale created this task.Oct 11 2021, 12:11 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 11 2021, 12:11 AM
MarioFinale updated the task description. (Show Details)Oct 11 2021, 12:12 AM
MarioFinale updated the task description. (Show Details)
MarioFinale updated the task description. (Show Details)
Zabe subscribed.Oct 11 2021, 12:17 AM
MarioFinale added a project: API Platform.Oct 14 2021, 8:41 PM
MarioFinale updated the task description. (Show Details)
Legoktm removed a project: API Platform.Oct 14 2021, 8:56 PM
Legoktm subscribed.

I think the problem is https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/UrlShortener/+/refs/heads/master/includes/UrlShortenerUtils.php#48 where we check both $user->isBlocked() and $user->isGloballyBlocked(). I don't know why we check for the second one explicitly - I don't think other code does that.

Ladsgroup subscribed.Oct 15 2021, 11:54 AM

I'm pretty sure I was explicitly told to add that apparently isBlocked is not enough to keep globally banned users away.

MarioFinale added a comment.Oct 28 2021, 12:29 AM

Then maybe the problem is in the isBlockedGlobally() function. It should return false if the user has the global-ipblock-exempt permission I suppose.
Here: https://doc.wikimedia.org/mediawiki-core/master/php/User_8php_source.html#l02030
First it checks if the user has mGlobalBlock defined and if not then checks if the user is an IP, if not then gets the user's IP and checks if the IP is blocked. Maybe It should first check the user groups if the user is not an IP and then set mGlobalBlock accordingly.

Ammarpad mentioned this in T375980: URL shortener doesn't work with a blocked IP.Sep 29 2024, 6:14 PM
stjn subscribed.Oct 11 2024, 11:43 PM

Can someone check if this issue still persists after it got switched to $user->getBlock() in be1c0ab2595d85b75ad4e0c715bd8ebf391c96e9 / T318897?

Pppery added a project: TestMe.Dec 23 2024, 7:27 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits