From f1210bf4e73aa0553ff29be83e0d3ab445a9b347 Mon Sep 17 00:00:00 2001
From: Aryeh Gregor <simetrical@users.mediawiki.org>
Date: Wed, 20 Jul 2011 02:34:25 +0000
Subject: [PATCH] Allow blocked sysops to view Special:Unblock

Previously, trying to visit [[Special:Unblock]] while blocked would give
an error, even if the user has the unblockself permission.  I moved the
permission check from execute() to right before the code that does the
actual unblocking.  This should probably be examined closely for
security, since I'm not familiar with this code, although the impact of
a bug would be small.  I tested some simple cases manually and they all
worked as expected:

* Unblocking self works (as before)
* Submitting the form fails unless you're trying to unblock yourself (as
  before)
* GETting the page with any parameters works (previously failed unless
  the target was your own username)
---
 includes/specials/SpecialUnblock.php | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/includes/specials/SpecialUnblock.php b/includes/specials/SpecialUnblock.php
index 82435829bd..65f9bb1518 100644
--- a/includes/specials/SpecialUnblock.php
+++ b/includes/specials/SpecialUnblock.php
@@ -51,13 +51,6 @@ class SpecialUnblock extends SpecialPage {
 		list( $this->target, $this->type ) = SpecialBlock::getTargetAndType( $par, $wgRequest );
 		$this->block = Block::newFromTarget( $this->target );
 
-		# bug 15810: blocked admins should have limited access here.  This won't allow sysops
-		# to remove autoblocks on themselves, but they should have ipblock-exempt anyway
-		$status = SpecialBlock::checkUnblockSelf( $this->target );
-		if ( $status !== true ) {
-			throw new ErrorPageError( 'badaccess', $status );
-		}
-
 		$wgOut->setPageTitle( wfMsg( 'unblockip' ) );
 		$wgOut->addModules( 'mediawiki.special' );
 
@@ -162,6 +155,14 @@ class SpecialUnblock extends SpecialPage {
 			return array( array( 'ipb_cant_unblock', $target ) );
 		}
 
+		# bug 15810: blocked admins should have limited access here.  This
+		# won't allow sysops to remove autoblocks on themselves, but they
+		# should have ipblock-exempt anyway
+		$status = SpecialBlock::checkUnblockSelf( $target );
+		if ( $status !== true ) {
+			throw new ErrorPageError( 'badaccess', $status );
+		}
+
 		# If the specified IP is a single address, and the block is a range block, don't
 		# unblock the whole range.
 		list( $target, $type ) = SpecialBlock::getTargetAndType( $target );
-- 
2.20.1