From 20d0eeb6b27a44fd883b178799e7b68631ba3548 Mon Sep 17 00:00:00 2001 From: Happy-melon Date: Fri, 26 Mar 2010 22:02:51 +0000 Subject: [PATCH] (bug 15810) stop blocked admins from unblocking themselves or others. --- RELEASE-NOTES | 2 + includes/specials/SpecialBlockip.php | 16 ++++++++ includes/specials/SpecialIpblocklist.php | 48 ++++++++++++++++-------- languages/messages/MessagesEn.php | 3 ++ languages/messages/MessagesQqq.php | 2 + maintenance/language/messages.inc | 5 ++- 6 files changed, 60 insertions(+), 16 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 02346e3592..1f4113631b 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -58,6 +58,8 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN * (bug 22903) Revdelete log entries now show in the user preferred language. * (bug 22905) Correctly handle followed by ISBN * (bug 22940) Namespace aliases pointing to main namespace don't work +* (bug 15810) blocked admins can no longer block/unblock other users, nor + themselves unless they are given the 'unblockself' permission. == API changes in 1.17 == * (bug 22738) Allow filtering by action type on query=logevent diff --git a/includes/specials/SpecialBlockip.php b/includes/specials/SpecialBlockip.php index 316db3606f..85182dca25 100644 --- a/includes/specials/SpecialBlockip.php +++ b/includes/specials/SpecialBlockip.php @@ -24,6 +24,22 @@ function wfSpecialBlockip( $par ) { } $ipb = new IPBlockForm( $par ); + + # bug 15810: blocked admins should have limited access here + if( $wgUser->isBlocked() ){ + $user = User::newFromName( $ipb->BlockAddress ); + if( $user instanceof User + && $user->getId() == $wgUser->getId() ) + { + # User is trying to unblock themselves + if( !$wgUser->isAllowed( 'unblockself' ) ){ + throw new ErrorPageError( 'badaccess', 'ipbnounblockself' ); + } + } else { + # User is trying to block/unblock someone else + throw new ErrorPageError( 'badaccess', 'ipbblocked' ); + } + } $action = $wgRequest->getVal( 'action' ); if( 'success' == $action ) { diff --git a/includes/specials/SpecialIpblocklist.php b/includes/specials/SpecialIpblocklist.php index dfdcf1a789..e1cbdbc14f 100644 --- a/includes/specials/SpecialIpblocklist.php +++ b/includes/specials/SpecialIpblocklist.php @@ -19,7 +19,7 @@ function wfSpecialIpblocklist( $ip = '' ) { $ipu = new IPUnblockForm( $ip, $id, $reason ); - if( $action == 'unblock' ) { + if( $action == 'unblock' || $action == 'submit' && $wgRequest->wasPosted() ) { # Check permissions if( !$wgUser->isAllowed( 'block' ) ) { $wgOut->permissionRequired( 'block' ); @@ -30,22 +30,40 @@ function wfSpecialIpblocklist( $ip = '' ) { $wgOut->readOnlyPage(); return; } - # Show unblock form - $ipu->showForm( '' ); - } elseif( $action == 'submit' && $wgRequest->wasPosted() - && $wgUser->matchEditToken( $wgRequest->getVal( 'wpEditToken' ) ) ) { - # Check permissions - if( !$wgUser->isAllowed( 'block' ) ) { - $wgOut->permissionRequired( 'block' ); - return; + + # bug 15810: blocked admins should have limited access here + if( $wgUser->isBlocked() ){ + if( $id ){ + # This doesn't pick up on autoblocks, but admins + # should have the ipblock-exempt permission anyway + $block = Block::newFromID( $id ); + $user = User::newFromName( $block->mAddress ); + } else { + $user = User::newFromName( $ip ); + } + if( $user instanceof User + && $user->getId() == $wgUser->getId() ) + { + # User is trying to unblock themselves + if( !$wgUser->isAllowed( 'unblockself' ) ){ + throw new ErrorPageError( 'badaccess', 'ipbnounblockself' ); + } + } else { + # User is trying to block/unblock someone else + throw new ErrorPageError( 'badaccess', 'ipbblocked' ); + } } - # Check for database lock - if( wfReadOnly() ) { - $wgOut->readOnlyPage(); - return; + if( $action == 'unblock' ){ + # Show unblock form + $ipu->showForm( '' ); + } elseif( $action == 'submit' + && $wgRequest->wasPosted() + && $wgUser->matchEditToken( $wgRequest->getVal( 'wpEditToken' ) ) ) + { + # Remove blocks and redirect user to success page + $ipu->doSubmit(); } - # Remove blocks and redirect user to success page - $ipu->doSubmit(); + } elseif( $action == 'success' ) { # Inform the user of a successful unblock # (No need to check permissions or locks here, diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php index ed5f041c69..5fadae0d28 100644 --- a/languages/messages/MessagesEn.php +++ b/languages/messages/MessagesEn.php @@ -1904,6 +1904,7 @@ You can also choose to let others contact you through your user or talk page wit 'right-override-export-depth' => 'Export pages including linked pages up to a depth of 5', 'right-versiondetail' => 'Show the extended software version information', 'right-sendemail' => 'Send e-mail to other users', +'right-unblockself' => 'Unblock themselves', # User rights log 'rightslog' => 'User rights log', @@ -2999,6 +3000,8 @@ You cannot create an account', 'cant-block-while-blocked' => 'You cannot block other users while you are blocked.', 'cant-see-hidden-user' => "The user you are trying to block has already been blocked and hidden. Since you do not have the hideuser right, you cannot see or edit the user's block.", +'ipbblocked' => 'You cannot block or unblock other users, because you are yourself blocked', +'ipbnounblockself' => 'You are not allowed to unblock yourself', # Developer tools 'lockdb' => 'Lock database', diff --git a/languages/messages/MessagesQqq.php b/languages/messages/MessagesQqq.php index bb563cf0c7..0e2daf3558 100644 --- a/languages/messages/MessagesQqq.php +++ b/languages/messages/MessagesQqq.php @@ -2495,6 +2495,8 @@ Used on [[Special:Block]] as header for other blocks, i.e. from GlobalBlocking o 'blockme' => 'The page title of [[Special:Blockme]], a feature which is disabled by default.', 'sorbs' => '{{optional}}', 'cant-see-hidden-user' => 'Used as (red) error message on Special:Block when you try to change (as sysop w/o the hideuser right) the block of a hidden user.', +'ipbblocked' => 'Error message shown when a user tries to alter block settings when they are themselves blocked.', +'ipbnounblockself' => 'Error message shown when a user without the unblockself right tries to unblock themselves.', # Developer tools 'lockdb' => 'The title of the special page [[Special:LockDB]]. diff --git a/maintenance/language/messages.inc b/maintenance/language/messages.inc index ceac0f99fe..65647f626e 100644 --- a/maintenance/language/messages.inc +++ b/maintenance/language/messages.inc @@ -1078,6 +1078,7 @@ $wgMessageStructure = array( 'right-override-export-depth', 'right-versiondetail', 'right-sendemail', + 'right-unblockself', ), 'rightslog' => array( 'rightslog', @@ -2013,7 +2014,9 @@ $wgMessageStructure = array( 'sorbsreason', 'sorbs_create_account_reason', 'cant-block-while-blocked', - 'cant-see-hidden-user' + 'cant-see-hidden-user', + 'ipbblocked', + 'ipbnounblockself', ), 'developertools' => array( 'lockdb', -- 2.20.1