Page MenuHomePhabricator
Create Task
Maniphest T366265

Limit the number of blocks that can be performed in a single use of Special:InvestigateBlock to wgCheckUserMaxBlocks
Closed, ResolvedPublic1 Estimated Story Points
Actions

Assigned To
Dreamy_Jazz
Authored By
Dreamy_Jazz
May 30 2024, 10:59 AM
Tags
Referenced Files
F54805771: image.png
Sat, Jun 1, 4:59 AM
F54805710: image.png
Sat, Jun 1, 4:59 AM
F54802722: image.png
Sat, Jun 1, 4:59 AM
F54805301: image.png
Sat, Jun 1, 4:59 AM
F54805266: image.png
Sat, Jun 1, 4:59 AM
F54805544: image.png
Sat, Jun 1, 4:59 AM
F54805236: image.png
Sat, Jun 1, 4:59 AM
F54805651: image.png
Sat, Jun 1, 4:59 AM
View All 12 Files
Subscribers
Aklapper
Djackson-ctr
Dreamy_Jazz

Description

The Special:CheckUser 'Get users' block form limits the number of users which can be blocked on one submission of the form to the number in wgCheckUserMaxBlocks. Special:InvestigateBlock does not currently limit the number of users which can be blocked in one use of the form.

Special:InvestigateBlock should be limited to block no more than wgCheckUserMaxBlocks users in one use of the form to provide feature parity with the 'Get users' form. The default value of the config is 200, which means that this limit is very unlikely to be reached and therefore should not affect CUs who are using the form in a legitimate way. The risk of allowing any number of users to be blocked is that a compromised CU account could mass block thousands of accounts in one use of the form.

Acceptance criteria
  • Special:InvestigateBlock does not allow more than wgCheckUserMaxBlocks (by default 200) users in the user input

Details

SubjectRepoBranchLines +/-
[DNM] Set wgCheckUserMaxBlocks to 3mediawiki/extensions/CheckUsermaster+1 -1
Fix InvestigateBlock truncated targets warning to use PLURALmediawiki/extensions/CheckUsermaster+1 -1
Limit the number of users blocked in InvestigateBlock via configmediawiki/extensions/CheckUsermaster+45 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Dreamy_Jazz created this task.May 30 2024, 10:59 AM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptMay 30 2024, 10:59 AM
Dreamy_Jazz set the point value for this task to 1.May 30 2024, 11:00 AM
Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)) board.
Aklapper removed a project: MW-1.43-notes (1.43.0-wmf.7; 2024-05-28).Thu, May 30, 1:56 PM
gerritbot added a comment.Thu, May 30, 2:54 PM

Change #1037552 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] Limit the number of users blocked in InvestigateBlock via config

https://gerrit.wikimedia.org/r/1037552

gerritbot added a project: Patch-For-Review.Thu, May 30, 2:54 PM
Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)) board.Thu, May 30, 3:07 PM
Dreamy_Jazz added a project: Trust and Safety Product Team.Thu, May 30, 3:22 PM
gerritbot added a comment.Thu, May 30, 7:37 PM

Change #1037552 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Limit the number of users blocked in InvestigateBlock via config

https://gerrit.wikimedia.org/r/1037552

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.8; 2024-06-04).Thu, May 30, 8:00 PM
Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)) board.Thu, May 30, 10:32 PM
gerritbot added a comment.Fri, May 31, 9:43 AM

Change #1037740 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] Fix InvestigateBlock truncated targets warning to use PLURAL

https://gerrit.wikimedia.org/r/1037740

Dreamy_Jazz moved this task from Needs QA to Needs Review on the Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)) board.Fri, May 31, 9:43 AM
gerritbot added a comment.Fri, May 31, 10:29 AM

Change #1037740 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Fix InvestigateBlock truncated targets warning to use PLURAL

https://gerrit.wikimedia.org/r/1037740

Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)) board.Fri, May 31, 10:47 AM
gerritbot added a comment.Fri, May 31, 4:09 PM

Change #1037824 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] [DNM] Set wgCheckUserMaxBlocks to 3

https://gerrit.wikimedia.org/r/1037824

Dreamy_Jazz added a comment.Fri, May 31, 4:17 PM

Suggested QA steps for either patch demo or local wiki:

  1. If on a local wiki, add $wgCheckUserMaxBlocks = 3; to your LocalSettings.php. If using patch demo, make your wiki with the patch 1037824 applied
  2. Make some testing edits using at least 4 different accounts
  3. Log into an account with the checkuser and sysop group (on patch demo this should be the Patch Demo user).
  4. Load Special:InvestigateBlock
  5. Attempt to enter more than 3 usernames or IP addresses in the Usernames and IP addresses field, verifying that you cannot enter more than 3 usernames / IPs.
  6. Load Special:Investigate and run a check that includes all of the 4 accounts used in step 5
  7. Click the Block accounts button and then press Continue
  8. Verify that in the Special:InvestigateBlock page that was opened, a warning is shown that looks like the following:

image.png (71×724 px, 5 KB)

  1. Check that only 3 users are listed in the Usernames and IP addresses field
Djackson-ctr subscribed.Sat, Jun 1, 4:59 AM

I have verified the new code has been implemented and is functioning and displaying as expected... Thank You @Dreamy_Jazz!!!

Screenshots of the accounts I used for (Test Step 6) on different devices/browsers:

image.png (601×913 px, 200 KB)

image.png (880×511 px, 194 KB)

image.png (300×1 px, 30 KB)

image.png (389×1 px, 270 KB)

Screenshots of the warning message (Test Step 8), and the listing of the first 3 users (Test Step 9) on different devices/browsers:

image.png (627×910 px, 170 KB)

image.png (901×658 px, 155 KB)

image.png (885×469 px, 178 KB)

image.png (900×479 px, 190 KB)

image.png (277×1 px, 25 KB)

image.png (412×1 px, 297 KB)

image.png (461×1 px, 246 KB)

Djackson-ctr moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)) board.Sat, Jun 1, 5:03 AM
Dreamy_Jazz closed this task as Resolved.Mon, Jun 3, 10:07 AM
Dreamy_Jazz moved this task from Sprint Shekere (13th May - 24th May) to Sprint Melodica (Jun 3 - Jun 14) on the Trust and Safety Product Sprint board.
Dreamy_Jazz edited projects, added Trust and Safety Product Sprint (Sprint Melodica (Jun 3 - Jun 14)); removed Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)).
Dreamy_Jazz edited projects, added Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)); removed Trust and Safety Product Sprint (Sprint Melodica (Jun 3 - Jun 14)).
gerritbot added a comment.Mon, Jun 3, 11:37 AM

Change #1037824 abandoned by Dreamy Jazz:

[mediawiki/extensions/CheckUser@master] [DNM] Set wgCheckUserMaxBlocks to 3

Reason:

No longer needed.

https://gerrit.wikimedia.org/r/1037824

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits