Page MenuHomePhabricator

Blocked temporary account user should see block message on edit page when their IP address is blocked
Closed, ResolvedPublic

Description

Background

Steps to reproduce:

  • As an admin, block a user, enabling the autoblock option
  • Set $wgAutoCreateTempUser['enabled'] = true;
  • As a logged-out user, try to edit an article from an IP address that was blocked
  • Expected: see an blocked notice
  • Actual: see no indication that there is a block

Notes:

  1. The block is enforced once the edit is submitted. However, the temporary user does not get any warning that they are blocked until that point.
  2. This applies to direct blocks against the IP, autoblocks, and global blocks
Acceptance criteria

With $wgAutoCreateTempUser['enabled'] = true;, and as a logged-out user visiting an edit page:

  • If there is a block against the user's IP address, they see a blocked notice above the editor
  • If there is an autoblock against the user's IP address, they see a blocked notice above the editor
  • If there is a global block against the user's IP address, they see a blocked notice above the editor
  • With $wgGroupPermissions['*']['edit'] = false;, and no block against the IP address, it is still possible to make an edit as a logged-out user since a temporary account will be created

The final point is a regression check, since the code that introduced this bug was designed to implement that behaviour.

Event Timeline

Tchanders created this task.

Note: The block is enforced once the edit is submitted. However, the temporary user does not get any warning that they are blocked until that point.

The behaviour is similar for global blocks, and should be fixed too.

Tchanders renamed this task from Blocked temporary account user should see block message on edit page when their IP address is autoblocked to Blocked temporary account user should see block message on edit page when their IP address is blocked.Mar 21 2023, 6:13 PM
Tchanders updated the task description. (Show Details)

Change 901693 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/core@master] EditPage: Check explicitly for blocks against the global session

https://gerrit.wikimedia.org/r/901693

As @Cyndymediawiksim and @AGueyte identified, the lines that introduced this bug are here:

$this->maybeActivateTempUserCreate( !$this->firsttime );
$permErrors = $this->getEditPermissionErrors(
	$this->save ? PermissionManager::RIGOR_SECURE : PermissionManager::RIGOR_FULL
);

This ensures that, when a logged-out user tries to edit a page, permission checks are done on a placeholder temporary user rather than an anonymous user. This allows temporary accounts to be autocreated on wikis that have $wgGroupPermissions['*']['edit'] = false;, as described in https://gerrit.wikimedia.org/r/c/mediawiki/core/+/778684 .

Two awkward features then cause this bug (and also make it difficult to solve nicely):

  1. Block checks are rolled in with permissions checks, so all are done at once via the above call
  2. The block check 'magically' decides whether to check for blocks against the request (blocks against the IP address or IPs in the XFF header, cookie blocks), based on whether the user whose block we're checking is the global session user or not. The temporary placeholder user is not the global session user, so these checks aren't done - hence no error message. The magic is buried deep in User::getBlockedStatus.

It would be nice to solve (2) via T221067, but it's not trivial due to the number of callers that would need updating. Until then we can do a quick manual check, which is what the patch does.

Change 901693 merged by jenkins-bot:

[mediawiki/core@master] EditPage: Check explicitly for blocks against the global session

https://gerrit.wikimedia.org/r/901693

dom_walden subscribed.
Acceptance criteria

...

  • If there is a block against the user's IP address, they see a blocked notice above the editor
  • If there is an autoblock against the user's IP address, they see a blocked notice above the editor
  • If there is a global block against the user's IP address, they see a blocked notice above the editor

On dewiki beta, I tested the block message shown on the edit page for an anonymous, temporary and named user for a number of different types of blocks, including IP, auto, global block, partial and composite.

I also repeated this test locally while blocking IPs with system blocks ($wgProxyList, $wgSoftBlockRanges) locally.

In case of regression, I ran some of the same tests on enwiki beta (which does not have temporary users).

I also tested viewing a preview or diff, by blocking a user when they were already on the edit page and then clicking "Show preview" or "Show changes".

I also tested different types of users editing via the API with various types of blocks, just in case it had been affected.

  • With $wgGroupPermissions['*']['edit'] = false;, and no block against the IP address, it is still possible to make an edit as a logged-out user since a temporary account will be created

This was true when testing locally.

I also tested the block message shown on the edit page for anon, temp and named users for IP, auto and global blocks.

Test environment: https://de.wikipedia.beta.wmflabs.org various versions of MediaWiki.