Page MenuHomePhabricator
Create Task
Maniphest T320678

Blocked users should not be able to view private filters
Closed, DuplicatePublicFeature
Actions

Description

Feature summary (what you would like to be able to do and where):

  • Blocked users should not be able to view private filters
  • Blocked users should not be able to edit private filters already done
  • Blocked users should not be able to edit public filters already done

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):

Benefits (why should this be implemented?):

  • Blocked admins, blocked edit filter managers, and blocked edit filter helpers have either temporarily or permanently lost the community's trust, and therefore should not have access to view private filters.

Related Objects

Event Timeline

Novem_Linguae created this task.Oct 12 2022, 8:17 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 12 2022, 8:17 PM
Novem_Linguae updated the task description. (Show Details)Oct 12 2022, 8:19 PM
Novem_Linguae updated the task description. (Show Details)Oct 12 2022, 8:41 PM
TheresNoTime subscribed.Oct 12 2022, 8:48 PM
Barkeep49 subscribed.Oct 12 2022, 8:53 PM
TheresNoTime added a comment.Oct 12 2022, 8:54 PM

Testing with:

The blocked privileged user:

  • can view the private filter
  • cannot edit the private filter
  • cannot edit the public filter
Novem_Linguae renamed this task from Blocked users should lose all privileged access to AbuseFilter, including private filters to Blocked users should not be able to view private filters.Oct 12 2022, 8:55 PM
Novem_Linguae updated the task description. (Show Details)
Barkeep49 added a comment.Oct 12 2022, 8:56 PM

Is there already a Phab task around vieweing deleted content which blocked admins can do? Because I view that as a similar issue.

Izno subscribed.Oct 12 2022, 8:59 PM
Xaosflux subscribed.Oct 12 2022, 9:05 PM
TheresNoTime added a comment.EditedOct 12 2022, 9:06 PM

Using the same blocked administrator account, and attempting to view the deleted content of https://en.wikipedia.beta.wmflabs.org/wiki/T320678, the following message is displayed:

image.png (540×833 px, 48 KB)

en.wiki.beta should have production-comparable config settings — this would suggest blocked admins cannot see deleted revisions (at least in this manner)

gerritbot added a comment.Oct 12 2022, 9:16 PM

Change 842009 had a related patch set uploaded (by Samtar; author: Samtar):

[mediawiki/extensions/AbuseFilter@master] AbuseFilterPermissionManager: Add sitewide block check

https://gerrit.wikimedia.org/r/842009

gerritbot added a project: Patch-For-Review.Oct 12 2022, 9:16 PM
Lomrjyo subscribed.Oct 12 2022, 10:09 PM
AntiCompositeNumber closed this task as a duplicate of T296137: Blocked users should not be able to view private filters.Oct 13 2022, 2:45 PM
TheresNoTime mentioned this in T296137: Blocked users should not be able to view private filters.Oct 13 2022, 6:46 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits