Page MenuHomePhabricator
Create Task
Maniphest T75414

Remove proxyunbannable from core
Closed, ResolvedPublic
Actions

Description

Proxyunbannable is a userright granted to sysops by [[mw:Extension:AutoProxyBlock]]. But this extension is not used on WMF wikis, which instead use [[mw:Extension:TorBlock]], with torunblocked as equivalent. Torunblocked is not granted to sysop, so they cannot edit from tor. However, for some reason proxyunbannable appears in the listed rights of sysops, with the description "Bypass automatic blocks of proxies". This led to some confusion among users. Since it doesn't seem to have any use, it would be best to remove it.

Version: wmf-deployment
Severity: enhancement

Details

Reference
bz73414
SubjectRepoBranchLines +/-
Remove proxyunbannable from coremediawiki/coremaster+1 -8
Add proxyunbannable to sysopsmediawiki/extensions/AutoProxyBlockmaster+5 -0
Remove proxyunbannableoperations/mediawiki-configmaster+3 -4
Remove proxyunbannablemediawiki/extensions/OAuthmaster+0 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 3:57 AM
bzimport added a project: Wikimedia-Site-requests.
bzimport set Reference to bz73414.
bzimport added a subscriber: Unknown Object (MLST).
Cenarium created this task.Nov 14 2014, 9:11 AM
Glaisher added a comment.Nov 14 2014, 10:18 AM

I just checked wmf-config but I don't see anything about 'proxyunbannable' in there except for mlwikis and wikidata.

I'm not sure but I think this is done by the TorBlock extension as all sysops on Wikimedia projects have 'proxyunbannable' by default but keeping this here for now.

Cenarium added a comment.Nov 14 2014, 3:05 PM

The AutoProxyBlock extension seems to be an offshoot of the deprecated $wgBlockOpenProxies. Proxyunbannable was missed.

  • This bug has been marked as a duplicate of bug 54597 ***
PleaseStand added a comment.Nov 14 2014, 4:10 PM

Not a duplicate; commented there.

Cenarium added a comment.Nov 15 2014, 3:38 AM

Noted. [[mw:Manual:User_rights#List_of_permissions]] updated.

$wgProxyList refers to mwblocker.log which does not exist in wmf-config, so this doesn't seem to be of any use.

And $wgEnableDnsBlacklist is set to false by default but true on 'enwikinews', 'thwiki', 'thwiktionary', 'thwikiquote', 'thwikibooks' and 'thwikisource'.

I'll fill the bugs.

Cenarium added a comment.Nov 15 2014, 5:44 AM

I think I'll fill a bug asking to remove all proxy blocking from mediawiki, or move to an extension. This way, wikis can choose their preferred proxy blocking extension. And proxyunbannable can go (implying some extensions will have to declare it).

The 'proxyunbannable' instances in wmf-config are just copy and paste from the list of sysop userrights, so it's no problem. But I've no idea why $wgEnableDnsBlacklist is set to true on the above 6 wikis and which DNS blacklist they use (if any). Is this necessary for those projects ?

MarcoAurelio subscribed.Nov 29 2014, 10:31 PM
Cenarium added a subtask: T76301: Remove all proxy blocking functionalities from mediawiki core.Nov 30 2014, 6:08 PM
Krenair moved this task from Backlog to Blocked on development on the Wikimedia-Site-requests board.Aug 19 2015, 8:29 PM
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptAug 19 2015, 8:29 PM
Krenair subscribed.Aug 19 2015, 8:50 PM
In T75414#771561, @Cenarium wrote:

$wgProxyList refers to mwblocker.log which does not exist in wmf-config, so this doesn't seem to be of any use.

It's excluded from the public repository per .gitignore, there is a real file on the servers.

Cenarium renamed this task from Remove proxyunbannable from sysop to Remove proxyunbannable from core.Nov 23 2015, 7:30 AM
Cenarium edited projects, added MediaWiki-User-management; removed Wikimedia-Site-requests.
Cenarium set Security to None.
Cenarium removed a subtask: T76301: Remove all proxy blocking functionalities from mediawiki core.
Cenarium added a comment.Nov 23 2015, 7:38 AM

I've checked the user class, and proxyunbannable is never checked for sysops since they have ipblock-exempt.
All usergroups with proxyunbannable already have ipblock-exempt.
So this can be removed from core without removing proxy blocking.

gerritbot subscribed.Nov 23 2015, 11:07 AM

Change 254829 had a related patch set uploaded (by Cenarium):
Remove proxyunbannable from core

https://gerrit.wikimedia.org/r/254829

gerritbot added a project: Patch-For-Review.Nov 23 2015, 11:07 AM
siebrand subscribed.Nov 23 2015, 11:40 AM

This right is referenced in the following extensions:

  • BlueSpice WikiAdmin
  • UserGroups
  • OAuth
  • TorBlock

It's also referenced in wmf-config/InitialiseSettings.php of the repo operations/mediawiki-config.

gerritbot added a comment.Nov 23 2015, 11:53 AM

Change 254832 had a related patch set uploaded (by Cenarium):
Remove proxyunbannable

https://gerrit.wikimedia.org/r/254832

gerritbot added a comment.Nov 23 2015, 12:07 PM

Change 254835 had a related patch set uploaded (by Cenarium):
Add proxyunbannable to sysops

https://gerrit.wikimedia.org/r/254835

gerritbot added a comment.Nov 23 2015, 12:25 PM

Change 254842 had a related patch set uploaded (by Cenarium):
Remove proxyunbannable

https://gerrit.wikimedia.org/r/254842

Cenarium added a comment.Nov 23 2015, 12:27 PM

I've removed it from OAuth and added it back to AutoProxyBlock.
In TorBlock, it's commented out.
In UserGroups and BlueSpice WikiAdmin, these are in lists of rights that have not been updated for a long time.
Also removed from InitialiseSettings.php.

Cenarium added a parent task: T31145: Core features that shouldn't be in core (tracking).Nov 24 2015, 6:11 AM
gerritbot added a comment.Nov 26 2015, 1:58 AM

Change 254832 merged by jenkins-bot:
Remove proxyunbannable

https://gerrit.wikimedia.org/r/254832

ReleaseTaggerBot added a project: MW-1.27-release (WMF-deploy-2015-12-08_(1.27.0-wmf.8)).Nov 26 2015, 2:00 AM
gerritbot added a comment.Jan 12 2016, 4:40 PM

Change 254842 merged by jenkins-bot:
Remove proxyunbannable

https://gerrit.wikimedia.org/r/254842

Jdforrester-WMF subscribed.Jan 12 2016, 4:48 PM

I think this is now done?

gerritbot added a comment.Jan 12 2016, 4:48 PM

Change 254835 merged by jenkins-bot:
Add proxyunbannable to sysops

https://gerrit.wikimedia.org/r/254835

Cenarium added a comment.Jan 13 2016, 1:35 PM
In T75414#1927675, @Jdforrester-WMF wrote:

I think this is now done?

The commit for core has not been merged yet:
https://gerrit.wikimedia.org/r/#/c/254829/

Jdforrester-WMF closed this task as Resolved.Jan 15 2016, 6:20 PM
Jdforrester-WMF assigned this task to Cenarium.
Jdforrester-WMF edited projects, added Technical-Debt; removed Patch-For-Review.
gerritbot added a comment.Jan 15 2016, 6:34 PM

Change 254829 merged by jenkins-bot:
Remove proxyunbannable from core

https://gerrit.wikimedia.org/r/254829

ReleaseTaggerBot added projects: MW-1.27-release-notes, MW-1.27-release (WMF-deploy-2016-01-19_(1.27.0-wmf.11)).Jan 15 2016, 8:00 PM
Jdforrester-WMF added a project: Developer-notice.Jan 15 2016, 10:55 PM
C.Syde65 mentioned this in T269063: Briefly revisiting the "Remove proxyunbannable from core" task.Dec 1 2020, 3:51 AM
C.Syde65 subscribed.Dec 1 2020, 11:10 PM
In T75414#1824398, @Cenarium wrote:

I've checked the user class, and proxyunbannable is never checked for sysops since they have ipblock-exempt.
All usergroups with proxyunbannable already have ipblock-exempt.
So this can be removed from core without removing proxy blocking.

What exactly does this mean? Does it mean that all usergroups that once had (proxyunbannable) also had (ipblock-exempt)? Or does it mean that (ipblock-exempt) was able to do everything that (proxyunbannable) was able to do?

RhinosF1 subscribed.Dec 2 2020, 4:18 AM

@

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits