Page MenuHomePhabricator

Remove proxyunbannable from core
Closed, ResolvedPublic

Description

Proxyunbannable is a userright granted to sysops by [[mw:Extension:AutoProxyBlock]]. But this extension is not used on WMF wikis, which instead use [[mw:Extension:TorBlock]], with torunblocked as equivalent. Torunblocked is not granted to sysop, so they cannot edit from tor. However, for some reason proxyunbannable appears in the listed rights of sysops, with the description "Bypass automatic blocks of proxies". This led to some confusion among users. Since it doesn't seem to have any use, it would be best to remove it.


Version: wmf-deployment
Severity: enhancement

Details

Reference
bz73414
Related Gerrit Patches:
mediawiki/core : masterRemove proxyunbannable from core
mediawiki/extensions/AutoProxyBlock : masterAdd proxyunbannable to sysops
operations/mediawiki-config : masterRemove proxyunbannable
mediawiki/extensions/OAuth : masterRemove proxyunbannable

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 3:57 AM
bzimport set Reference to bz73414.
bzimport added a subscriber: Unknown Object (MLST).
Cenarium created this task.Nov 14 2014, 9:11 AM

I just checked wmf-config but I don't see anything about 'proxyunbannable' in there except for mlwikis and wikidata.

I'm not sure but I think this is done by the TorBlock extension as all sysops on Wikimedia projects have 'proxyunbannable' by default but keeping this here for now.

The AutoProxyBlock extension seems to be an offshoot of the deprecated $wgBlockOpenProxies. Proxyunbannable was missed.

  • This bug has been marked as a duplicate of bug 54597 ***

Not a duplicate; commented there.

Noted. [[mw:Manual:User_rights#List_of_permissions]] updated.

$wgProxyList refers to mwblocker.log which does not exist in wmf-config, so this doesn't seem to be of any use.

And $wgEnableDnsBlacklist is set to false by default but true on 'enwikinews', 'thwiki', 'thwiktionary', 'thwikiquote', 'thwikibooks' and 'thwikisource'.

I'll fill the bugs.

I think I'll fill a bug asking to remove all proxy blocking from mediawiki, or move to an extension. This way, wikis can choose their preferred proxy blocking extension. And proxyunbannable can go (implying some extensions will have to declare it).

The 'proxyunbannable' instances in wmf-config are just copy and paste from the list of sysop userrights, so it's no problem. But I've no idea why $wgEnableDnsBlacklist is set to true on the above 6 wikis and which DNS blacklist they use (if any). Is this necessary for those projects ?

Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptAug 19 2015, 8:29 PM

$wgProxyList refers to mwblocker.log which does not exist in wmf-config, so this doesn't seem to be of any use.

It's excluded from the public repository per .gitignore, there is a real file on the servers.

Cenarium renamed this task from Remove proxyunbannable from sysop to Remove proxyunbannable from core.Nov 23 2015, 7:30 AM
Cenarium set Security to None.

I've checked the user class, and proxyunbannable is never checked for sysops since they have ipblock-exempt.
All usergroups with proxyunbannable already have ipblock-exempt.
So this can be removed from core without removing proxy blocking.

Change 254829 had a related patch set uploaded (by Cenarium):
Remove proxyunbannable from core

https://gerrit.wikimedia.org/r/254829

This right is referenced in the following extensions:

  • BlueSpice WikiAdmin
  • UserGroups
  • OAuth
  • TorBlock

It's also referenced in wmf-config/InitialiseSettings.php of the repo operations/mediawiki-config.

Change 254832 had a related patch set uploaded (by Cenarium):
Remove proxyunbannable

https://gerrit.wikimedia.org/r/254832

Change 254835 had a related patch set uploaded (by Cenarium):
Add proxyunbannable to sysops

https://gerrit.wikimedia.org/r/254835

Change 254842 had a related patch set uploaded (by Cenarium):
Remove proxyunbannable

https://gerrit.wikimedia.org/r/254842

I've removed it from OAuth and added it back to AutoProxyBlock.
In TorBlock, it's commented out.
In UserGroups and BlueSpice WikiAdmin, these are in lists of rights that have not been updated for a long time.
Also removed from InitialiseSettings.php.

Change 254832 merged by jenkins-bot:
Remove proxyunbannable

https://gerrit.wikimedia.org/r/254832

Change 254842 merged by jenkins-bot:
Remove proxyunbannable

https://gerrit.wikimedia.org/r/254842

I think this is now done?

Change 254835 merged by jenkins-bot:
Add proxyunbannable to sysops

https://gerrit.wikimedia.org/r/254835

I think this is now done?

The commit for core has not been merged yet:
https://gerrit.wikimedia.org/r/#/c/254829/

Jdforrester-WMF closed this task as Resolved.Jan 15 2016, 6:20 PM
Jdforrester-WMF assigned this task to Cenarium.
Jdforrester-WMF edited projects, added Technical-Debt; removed Patch-For-Review.

Change 254829 merged by jenkins-bot:
Remove proxyunbannable from core

https://gerrit.wikimedia.org/r/254829