From 38d962030dc14e6f012427261ede5b1959143a07 Mon Sep 17 00:00:00 2001
From: Alex Monk <krenair@gmail.com>
Date: Sat, 22 Dec 2012 19:33:05 +0000
Subject: [PATCH] (bug 38633) Don't block non-existent users via the API

Change-Id: I49232e177b23e11d04f64ac0d939073fa9418d64
---
 includes/api/ApiBlock.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php
index 813e4d4bec..4779067407 100644
--- a/includes/api/ApiBlock.php
+++ b/includes/api/ApiBlock.php
@@ -55,6 +55,7 @@ class ApiBlock extends ApiBase {
 		if ( !$user->isAllowed( 'block' ) ) {
 			$this->dieUsageMsg( 'cantblock' );
 		}
+
 		# bug 15810: blocked admins should have limited access here
 		if ( $user->isBlocked() ) {
 			$status = SpecialBlock::checkUnblockSelf( $params['user'], $user );
@@ -62,6 +63,13 @@ class ApiBlock extends ApiBase {
 				$this->dieUsageMsg( array( $status ) );
 			}
 		}
+
+		$target = User::newFromName( $params['user'] );
+		// Bug 38633 - if the target is a user (not an IP address), but it doesn't exist or is unusable, error.
+		if ( $target instanceof User && ( $target->isAnon() /* doesn't exist */ || !User::isUsableName( $target->getName() ) ) ) {
+			$this->dieUsageMsg( array( 'nosuchuser', $params['user'] ) );
+		}
+
 		if ( $params['hidename'] && !$user->isAllowed( 'hideuser' ) ) {
 			$this->dieUsageMsg( 'canthide' );
 		}
-- 
2.20.1