Blocked users can do everything they normally can, except edit.
Closed, ResolvedPublic

Description

Author: chris

Description:
Blocking a user does not prevent them from doing anything except actually
editing a page, which means that blocked users can still rollback, (un)protect,
block/unblock, etc. if they have those abilities normally available to them.

I suggest this is modified so that a blocked user is prevented from doing
anything which alters the database, apart from unblocking themselves.


Version: unspecified
Severity: normal

bzimport added a subscriber: wikibugs-l.
bzimport set Reference to bz3801.
bzimport created this task.Via LegacyOct 26 2005, 4:58 PM
bzimport added a comment.Via ConduitOct 26 2005, 6:38 PM

gangleri wrote:

(In reply to comment #0)

I suggest this is modified so that a blocked user is prevented from doing
anything which alters the database, apart from unblocking themselves.

"anything which alters the database" are also "actions" which do not affect
other users:

  1. changing preferences, including e-mail address, password etc.
  2. adding / removing items to the own whatch list

I thing that it would be fair to allow blocked users these actions.

Regards Reinhardt [[user:gangleri]]

bzimport added a comment.Via ConduitNov 4 2005, 5:19 PM

robchur wrote:

This glitch is not of the highest priority, nor is it "critical". Incidentally;
if endorsing the ability to self-unblock, then why bother restricting the other
stuff; the user can just unblock themself, then carry on.

bzimport added a comment.Via ConduitNov 4 2005, 6:04 PM

nick_tarleton wrote:

Because if we do enable rollback seperately from adminship (which there is some
demand for), users with rollback but not admin shouldn't be able to rollback.

bzimport added a comment.Via ConduitNov 5 2005, 5:07 PM

robchur wrote:

Well, technically speaking, rollback assignment is a configuration issue. Users
with rollback don't have access to the blocks, however, and so couldn't unblock
themselves. Rollback needs merely to be tweaked to check that the user isn't
blocked first.

bzimport added a comment.Via ConduitNov 5 2005, 5:57 PM

nick_tarleton wrote:

That's exactly my point.

bzimport added a comment.Via ConduitDec 13 2005, 9:45 PM

chris wrote:

(In reply to comment #1)

"anything which alters the database" are also "actions" which do not affect
other users [..]

Yes, you make a sensible point. I didn't think of that when writing. I agree
that blocked users should be allowed to perform these tasks too. My wording was
unclear.

(In reply to comment #4)

Well, technically speaking, rollback assignment is a configuration issue. Users
with rollback don't have access to the blocks, however, and so couldn't unblock
themselves. Rollback needs merely to be tweaked to check that the user isn't
blocked first.

Yes, that is what this bug report is for. :)

Chris

bzimport added a comment.Via ConduitJan 2 2006, 10:55 PM

mickflemm wrote:

In includes/User.php, in function isAllowed add the folowing...

//If the user wants to delete or undelete a page and he is

blocked don't allow him to do so.

if( ($action == 'delete' || $action == 'undelete') &&

$this->isBlocked() ){

        return false;
}


//If the user wants to protect or unprotect a page and it's

blocked don't allow him to do so.

if( ($action == 'protect' || $action == 'unprotect') &&

$this->isBlocked() ){

        return false;
}

...i guess it should work.

bzimport added a comment.Via ConduitJan 6 2006, 11:28 PM

robchur wrote:

Fixed in CVS HEAD. Blocked users can now not use rollback, or delete pages.
Protection levels are read-only when the user is blocked, and the undelete page
works like it does for users without that permission.

bzimport added a comment.Via ConduitJan 20 2006, 12:37 PM

p_simoons wrote:

Does that imply that blocked users can still block other users?

bzimport added a comment.Via ConduitJan 21 2006, 3:48 PM

robchur wrote:

(In reply to comment #9)

Does that imply that blocked users can still block other users?

Yes.

bzimport added a comment.Via ConduitJan 23 2006, 1:16 AM

p_simoons wrote:

Wouldn't it be more appropriate to still allow a blocked admin to UNblock, but
not allow him to Block? Should be an equally simple code tweak.

bzimport added a comment.Via ConduitFeb 2 2006, 7:46 PM

pmjcovello wrote:

The problem with that is an admin woulnd't be able to undo unblocks made in error.

bzimport added a comment.Via ConduitFeb 8 2006, 6:54 PM

chris wrote:

I believe that the ability for admins to block/unblock others while blocked
should be limited. Admins should only be able to unblock themselves while
blocked, in case of an autoblocker.

Chris

brion added a comment.Via ConduitFeb 8 2006, 10:44 PM
  1. What's "themselves"? An IP block that hits an admin isn't explicitly linked

to their account. In cases like AOL proxies it may not even be consistent from
hit to hit.

  1. If they can unblock themselves, they can then block and unblock anyone else.

So what does some kind of limitation here actually accomplish?

bzimport added a comment.Via ConduitFeb 8 2006, 11:02 PM

chris wrote:

Thanks for explaining that Brion, I didn't think of that. In that case, just
limiting the ability of blocked users to block others would serve.

Chris

bzimport added a comment.Via ConduitJun 5 2006, 7:47 AM

titoxd.wikimedia wrote:

Since everything that was going to be done is done already, shouldn't this be
marked as RESOLVED?

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.