Page MenuHomePhabricator
Create Task
Maniphest T317325

Remove separate checks for global blocks from APIUpload and SpecialUpload
Closed, ResolvedPublic
Actions

Assigned To
Cyndymediawiksim
Authored By
Tchanders
Sep 8 2022, 3:00 PM
Tags
Referenced Files
F35755782: T317325_SB_Partial_Uncheck_Chrome2of2.png
Nov 11 2022, 7:35 PM
F35755780: T317325_SB_Partial_Uncheck_Chrome1of2.png
Nov 11 2022, 7:35 PM
F35755694: T317325_GB_IP_Chrome.png
Nov 11 2022, 7:35 PM
F35754996: image.png
Nov 11 2022, 4:39 PM
F35754995: image.png
Nov 11 2022, 4:39 PM
F35754964: image.png
Nov 11 2022, 4:39 PM
F35754950: image.png
Nov 11 2022, 4:39 PM
F35754945: image.png
Nov 11 2022, 4:39 PM
Subscribers
Aklapper
GMikesell-WMF
Tchanders

Description

Background

APIUpload and SpecialUpload check for global blocks separately from other blocks. If a global block is found, it blocks upload.

This is an example of MediaWiki core being aware of an extension - GlobalBlocking.

After T257701: Add global blocks into CompositeBlocks rather than treating them separately and T317324: GlobalBlock::appliesToRight should return true for 'upload' this will no longer be necessary, and these checks can be removed.

Acceptance criteria
  • APIUpload and SpecialUpload no longer check for global blocks separately, but 'upload' is still blocked by a global block
Testing steps

For local testing the following config are needed:

  • $wgEnableUploads = true;
  • $wgGroupPermissions['*']['upload'] = true;

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Remove separate checks for global blocks from APIUpload and SpecialUploadmediawiki/coremaster+0 -15
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tchanders created this task.Sep 8 2022, 3:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 8 2022, 3:00 PM
Tchanders added a subtask: T317324: GlobalBlock::appliesToRight should return true for 'upload'.Sep 8 2022, 3:00 PM
Tchanders mentioned this in T317337: Deprecate global-blocks-specific methods and hook.Sep 8 2022, 4:08 PM
Tchanders added a parent task: T317337: Deprecate global-blocks-specific methods and hook.Sep 8 2022, 4:15 PM
Tchanders moved this task from Untriaged to Triage/To be Estimated on the Anti-Harassment-Team board.Sep 9 2022, 3:37 PM
Tchanders assigned this task to Cyndymediawiksim.Sep 26 2022, 2:14 PM
Tchanders moved this task from Triage/To be Estimated to AHaT Sprint 16: The Sorting Hat on the Anti-Harassment-Team board.
Tchanders edited projects, added Anti-Harassment-Team (AHaT Sprint 16: The Sorting Hat); removed Anti-Harassment-Team.
Cyndymediawiksim moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment-Team (AHaT Sprint 16: The Sorting Hat) board.Sep 26 2022, 2:42 PM
STran edited projects, added Anti-Harassment-Team (AHT Sprint 17: The Fruit Hat); removed Anti-Harassment-Team (AHaT Sprint 16: The Sorting Hat).Sep 27 2022, 4:49 PM
STran moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment-Team (AHT Sprint 17: The Fruit Hat) board.
Tchanders mentioned this in T317324: GlobalBlock::appliesToRight should return true for 'upload'.Sep 28 2022, 3:11 PM
Tchanders added a subtask: T257701: Add global blocks into CompositeBlocks rather than treating them separately.Sep 28 2022, 3:14 PM
gerritbot added a comment.Oct 11 2022, 8:51 AM

Change 841454 had a related patch set uploaded (by Cyndywikime; author: Cyndywikime):

[mediawiki/core@master] Remove separate checks for global blocks from APIUpload and SpecialUpload

https://gerrit.wikimedia.org/r/841454

gerritbot added a project: Patch-For-Review.Oct 11 2022, 8:51 AM
Cyndymediawiksim moved this task from In Progress 💪 to Code Review 🔍 on the Anti-Harassment-Team (AHT Sprint 17: The Fruit Hat) board.Oct 11 2022, 8:53 AM
ARamirez_WMF edited projects, added Anti-Harassment-Team (AHaT Sprint 18: The Imperial State Crown); removed Anti-Harassment-Team (AHT Sprint 17: The Fruit Hat).Oct 11 2022, 4:08 PM
ARamirez_WMF moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to Code Review 🔍 on the Anti-Harassment-Team (AHaT Sprint 18: The Imperial State Crown) board.
Tchanders updated the task description. (Show Details)Oct 12 2022, 4:18 PM
AGueyte moved this task from Code Review 🔍 to Blocked/Stalled 🚧 on the Anti-Harassment-Team (AHaT Sprint 18: The Imperial State Crown) board.Oct 12 2022, 5:53 PM
ARamirez_WMF edited projects, added Anti-Harassment-Team (AHaT Sprint 19: The Deerstalker); removed Anti-Harassment-Team (AHaT Sprint 18: The Imperial State Crown).Oct 25 2022, 4:53 PM
ARamirez_WMF moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to Blocked/Stalled 🚧 on the Anti-Harassment-Team (AHaT Sprint 19: The Deerstalker) board.
ARamirez_WMF edited projects, added Anti-Harassment-Team (AHaT Sprint 19: The Sanbenito); removed Anti-Harassment-Team (AHaT Sprint 19: The Deerstalker).Nov 8 2022, 5:24 AM
ARamirez_WMF moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to Blocked/Stalled 🚧 on the Anti-Harassment-Team (AHaT Sprint 19: The Sanbenito) board.
Tchanders moved this task from Blocked/Stalled 🚧 to Code Review 🔍 on the Anti-Harassment-Team (AHaT Sprint 19: The Sanbenito) board.Nov 9 2022, 4:23 PM
Tchanders moved this task from Code Review 🔍 to QA/Testing 🐞 on the Anti-Harassment-Team (AHaT Sprint 19: The Sanbenito) board.EditedNov 9 2022, 5:00 PM

Testing notes:

I think this can be tested on Beta, though you might want to be careful about what you upload? I tested locally.

I tested this by blocking an IP address via Special:GlobalBlock, ensuring that was the only block on that IP address. Then, as that IP address:

  • I visited Special:Upload, and got a block error as expected
  • I used Special:APISandbox to make a request to the upload API, and got a block error, as expected

I encountered no block error from an unblocked IP address.

Steps for using Special:APISandbox in case it helps (though the API doesn't need to be tested via the UI):

  • Go to Special:APISandbox
  • Choose upload from the action dropdown

image.png (454×1 px, 77 KB)

  • Click on action=upload in the sidebar

image.png (157×273 px, 5 KB)

  • Enter some name in the filename input

image.png (473×1 px, 85 KB)

  • Choose a file via the file input, below

image.png (897×1 px, 92 KB)

  • Click on "Make request" (top right)

image.png (583×1 px, 133 KB)

The response should be a user blocked error

gerritbot added a comment.Nov 10 2022, 1:15 PM

Change 841454 merged by jenkins-bot:

[mediawiki/core@master] Remove separate checks for global blocks from APIUpload and SpecialUpload

https://gerrit.wikimedia.org/r/841454

Maintenance_bot removed a project: Patch-For-Review.Nov 10 2022, 1:30 PM
ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.10; 2022-11-14).Nov 10 2022, 2:00 PM
Tchanders attached a referenced file: F35754996: image.png. (Show Details)Nov 11 2022, 4:39 PM
Tchanders attached a referenced file: F35754995: image.png. (Show Details)
Tchanders attached a referenced file: F35754964: image.png. (Show Details)
Tchanders attached a referenced file: F35754950: image.png. (Show Details)
Tchanders attached a referenced file: F35754945: image.png. (Show Details)
GMikesell-WMF subscribed.Nov 11 2022, 7:35 PM

@Tchanders I tested Global block, composite blocks, range ips, sitewide and partial blocks which all came up with the same block error as seen in the 1st screenshot below but with a different blockid.

I did come across a possible issue in Special:Block which I wanted to run it with you first. When I don't check the Apply block to logged-in users from this IP address in Special:Block, I am still allowed to upload on Special:APISandbox. If the default was checked, I'm sure if this wouldn't be too much of a problem. Since it is, if someone does not know to check that box, that user can still do an upload as seen in the 2nd and 3rd screenshots.

Global Block Also tested Composite Blocks, Range IPs, Sitewide, Partial

T317325_GB_IP_Chrome.png (936×2 px, 311 KB)

T317325_SB_Partial_Uncheck_Chrome1of2.png (1×2 px, 192 KB)

T317325_SB_Partial_Uncheck_Chrome2of2.png (1×2 px, 273 KB)

Tchanders added a comment.Nov 15 2022, 4:21 PM
In T317325#8390090, @GMikesell-WMF wrote:

I did come across a possible issue in Special:Block which I wanted to run it with you first. When I don't check the Apply block to logged-in users from this IP address in Special:Block, I am still allowed to upload on Special:APISandbox. If the default was checked, I'm sure if this wouldn't be too much of a problem. Since it is, if someone does not know to check that box, that user can still do an upload as seen in the 2nd and 3rd screenshots.

Thanks for raising this @GMikesell-WMF. I had a quick search to check whether any issues had been filed about this, and I didn't find anything, so looks like it hasn't been a problem so far. In the past, where we have changed form field defaults, we have discussed with community members first (e.g. this task from the partial blocks project: T208510) - so I'm happy to leave this as is until we hear that it's a problem.

Tchanders mentioned this in T317334: Remove separate checks for global blocks from PasswordReset.Nov 15 2022, 4:22 PM
GMikesell-WMF added a comment.Nov 15 2022, 7:05 PM

@Tchanders Ok sounds good! If it's not a problem with the community then I'm fine with leaving it as is for now. I will move this to Done. Thanks!

GMikesell-WMF moved this task from QA/Testing 🐞 to Done Q2 2022-2023 on the Anti-Harassment-Team (AHaT Sprint 19: The Sanbenito) board.Nov 15 2022, 7:05 PM
Niharika closed subtask T317324: GlobalBlock::appliesToRight should return true for 'upload' as Resolved.Dec 8 2022, 1:03 AM
Niharika closed this task as Resolved.Mar 1 2023, 1:37 AM
Niharika closed subtask T257701: Add global blocks into CompositeBlocks rather than treating them separately as Resolved.Mar 1 2023, 1:39 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits