Last modified: 2006-06-05 14:50:45 UTC
Blocking a user does not prevent them from doing anything except actually
editing a page, which means that blocked users can still rollback, (un)protect,
block/unblock, etc. if they have those abilities normally available to them.
I suggest this is modified so that a blocked user is prevented from doing
anything which alters the database, apart from unblocking themselves.
(In reply to comment #0)
> I suggest this is modified so that a blocked user is prevented from doing
> anything which alters the database, apart from unblocking themselves.
"anything which alters the database" are also "actions" which do not affect
1. changing preferences, including e-mail address, password etc.
2. adding / removing items to the own whatch list
I thing that it would be fair to allow blocked users these actions.
Regards Reinhardt [[user:gangleri]]
This glitch is not of the highest priority, nor is it "critical". Incidentally;
if endorsing the ability to self-unblock, then why bother restricting the other
stuff; the user can just unblock themself, then carry on.
Because if we do enable rollback seperately from adminship (which there is some
demand for), users with rollback but not admin shouldn't be able to rollback.
Well, technically speaking, rollback assignment is a configuration issue. Users
with rollback don't have access to the blocks, however, and so couldn't unblock
themselves. Rollback needs merely to be tweaked to check that the user isn't
That's exactly my point.
(In reply to comment #1)
> "anything which alters the database" are also "actions" which do not affect
> other users [..]
Yes, you make a sensible point. I didn't think of that when writing. I agree
that blocked users should be allowed to perform these tasks too. My wording was
(In reply to comment #4)
> Well, technically speaking, rollback assignment is a configuration issue. Users
> with rollback don't have access to the blocks, however, and so couldn't unblock
> themselves. Rollback needs merely to be tweaked to check that the user isn't
> blocked first.
Yes, that is what this bug report is for. :)
In includes/User.php, in function isAllowed add the folowing...
//If the user wants to delete or undelete a page and he is
blocked don't allow him to do so.
if( ($action == 'delete' || $action == 'undelete') &&
//If the user wants to protect or unprotect a page and it's
blocked don't allow him to do so.
if( ($action == 'protect' || $action == 'unprotect') &&
...i guess it should work.
Fixed in CVS HEAD. Blocked users can now not use rollback, or delete pages.
Protection levels are read-only when the user is blocked, and the undelete page
works like it does for users without that permission.
Does that imply that blocked users can still block other users?
(In reply to comment #9)
> Does that imply that blocked users can still block other users?
Wouldn't it be more appropriate to still allow a blocked admin to UNblock, but
not allow him to Block? Should be an equally simple code tweak.
The problem with that is an admin woulnd't be able to undo unblocks made in error.
I believe that the ability for admins to block/unblock others while blocked
should be limited. Admins should only be able to unblock themselves while
blocked, in case of an autoblocker.
1) What's "themselves"? An IP block that hits an admin isn't explicitly linked
to their account. In cases like AOL proxies it may not even be consistent from
hit to hit.
2) If they can unblock themselves, they can then block and unblock anyone else.
So what does some kind of limitation here actually accomplish?
Thanks for explaining that Brion, I didn't think of that. In that case, just
limiting the ability of blocked users to block others would serve.
Since everything that was going to be done is done already, shouldn't this be
marked as RESOLVED?