Last modified: 2014-07-08 16:42:09 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T27763, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 25763 - Special:Blocklist is leaking RevDel'ed information
Special:Blocklist is leaking RevDel'ed information
Status: RESOLVED INVALID
Product: MediaWiki
Classification: Unclassified
Revision deletion (Other open bugs)
1.20.x
All All
: Normal major with 3 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
:
: 27517 (view as bug list)
Depends on:
Blocks: revdel
  Show dependency treegraph
 
Reported: 2010-11-03 06:45 UTC by p858snake
Modified: 2014-07-08 16:42 UTC (History)
10 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description p858snake 2010-11-03 06:45:02 UTC
When viewing [[Special:BlockList]] you can see information that has been RevDeleted.

Example:
 http://www.mediawiki.org/wiki/Special:BlockList => "11:35, 13 October 2010, Jyothis (Talk | contribs | block) blocked Yourmomsuckscock (Talk | contribs) (infinite, account creation blocked, e-mail blocked) (crosswiki abuse<!--globally locked; about bot-->) (unblock | change block)"

That block log (The username only) was revdeleted so it was hidden, see http://www.mediawiki.org/w/index.php?title=Special%3ALog&type=&user=&page=User%3AYourmomsuckscock&year=&month=-1&tagfilter=&hide_patrol_log=1&hide_review_log=1
Comment 1 Platonides 2011-01-06 17:57:32 UTC
I don't see that the username is shown there. You are getting a result for a specific query (the revdeleted username), but given that you are going to block it, seems sensible that those entries are shown there.
Comment 2 Ilmari Karonen 2011-01-06 18:00:28 UTC
Um, yes it is there, see
http://www.mediawiki.org/w/index.php?title=Special:BlockList&offset=20101014000000
Comment 3 Platonides 2011-01-06 18:03:21 UTC
You are right. I was looking at the later link.
Comment 4 Aaron Schulz 2011-01-06 22:19:24 UTC
Hiding a block log item doesn't hide the separate block table rows. There isn't even a foreign key to the block log record in the "currently blocked" user table.
Comment 5 Mark A. Hershberger 2011-01-20 18:12:02 UTC
Aaron, how likely is it that this will be fixed in the next week?  I don't want to have it blocking 1.17 (as it is now) if we can't get it fixed soon.
Comment 6 p858snake 2011-01-21 02:22:12 UTC
(In reply to comment #5)
> I don't want to have it blocking 1.17 (as it is now) if we can't get it fixed soon.

Well it is potentially leaking information that has been removed for legal reasons (eg: OFFICE actions).
Comment 7 Mark A. Hershberger 2011-01-21 18:03:27 UTC
Sure, but that information has been leaking for a while.  It should be fixed, but this isn't something that should block 1.17.
Comment 8 p858snake 2011-02-18 01:33:08 UTC
*** Bug 27517 has been marked as a duplicate of this bug. ***
Comment 9 Bugmeister Bot 2011-08-19 19:12:21 UTC
Unassigning default assignments. http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/54734
Comment 10 db [inactive,noenotif] 2011-09-03 19:36:31 UTC
The user Yourmomsuckscock is not hidden on mediawiki.org (It is list on Special:ListUsers[1]), only the log of the block was hidden and that is only for documentation, it is not the block itself. WORKSFORME.

Hide the user with a reblock and the block will not shown on Special:BlockList (or Special:IPblocklist under 1.17), because the page is filtering ipb_deleted since r20439.

[1] http://www.mediawiki.org/w/index.php?title=Special%3AListUsers&username=Yourmomsuckscock&group=&limit=1
Comment 11 John Mark Vandenberg 2011-09-03 20:57:51 UTC
It should not be necessary to hide the user entirely in order to ensure that a hidden log entry does not appear.
Comment 12 db [inactive,noenotif] 2011-09-04 17:05:01 UTC
(In reply to comment #11)
> It should not be necessary to hide the user entirely in order to ensure that a
> hidden log entry does not appear.

I do not think so. What helps you, when the block is not shown in that list, but the username is visible at many other places? Log is for documentation only. If you hide the username, all logs would also hidden.

When you hide the log entry for a user right change, the user rights are still visible by the user. When you hide the log entry for a move, the move is still visible in the history with the null revision.

Technical it is hard to do this. A ipb_deleted = 1 indicates a hide username. You have to use another number and test many places.

For example: per API you can get the blockinfo for the user (but not the log entry, because only the log entry is hidden, not the block itself):
http://www.mediawiki.org/w/api.php?action=query&list=allusers|users|blocks&aufrom=Yourmomsuckscock&aulimit=1&auprop=blockinfo&ususers=Yourmomsuckscock&usprop=blockinfo&bkusers=Yourmomsuckscock

In my opinion, it is wrong from the UI, that is does not show the information, that the user is blocked, when the log entry is deleted/suppressed.
Comment 13 Tegel 2012-07-15 11:28:50 UTC
Abusive user name is one thing, but the cases where it's really a problem is when the user name contains non-public information, as outing of other user. 

Right now the only solution that I can see is to rename the account, and the hide the log action related to the renaming. And that extra work shouldn't be necessary. 

Hope for a solution soon.


Best Regards,

Tegel
Comment 14 Gerrit Notification Bot 2014-05-10 10:23:02 UTC
Change 132638 had a related patch set uploaded by Withoutaname:
Hide suppressed usernames from Special:BlockList

https://gerrit.wikimedia.org/r/132638
Comment 15 TeleComNasSprVen 2014-07-08 15:44:57 UTC
(In reply to Tegel from comment #13)
> Abusive user name is one thing, but the cases where it's really a problem is
> when the user name contains non-public information, as outing of other user. 
> 
> Right now the only solution that I can see is to rename the account, and the
> hide the log action related to the renaming. And that extra work shouldn't
> be necessary. 
> 
> Hope for a solution soon.
> 
> 
> Best Regards,
> 
> Tegel

Tegel, the user himself is not hidden with the block (ipb_deleted field from ipblocks table), but the log entry for the block is hidden (log_deleted from logging table).
Comment 16 Gerrit Notification Bot 2014-07-08 15:46:26 UTC
Change 132638 abandoned by Withoutaname:
Hide suppressed usernames from Special:BlockList

Reason:
Root cause was not ipb_deleted but log_deleted where log_type is suppress.

https://gerrit.wikimedia.org/r/132638
Comment 17 Jackmcbarn 2014-07-08 15:53:18 UTC
(In reply to Tegel from comment #13)
> Abusive user name is one thing, but the cases where it's really a problem is
> when the user name contains non-public information, as outing of other user. 
> 
> Right now the only solution that I can see is to rename the account, and the
> hide the log action related to the renaming. And that extra work shouldn't
> be necessary. 
> 
> Hope for a solution soon.
> 
> 
> Best Regards,
> 
> Tegel

As was said above, the way to accomplish this is to check the "Hide username from edits and lists" box when blocking. Revdel'ing the log entry intentionally only affects the log entry. Changing this would also violate access restrictions, since it would allow non-oversighters to effectively oversight information.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links