(CCing wikitech-l) On 28 February 2015 at 01:04, John Horne <[email protected]> wrote: > > $wgAutopromote['sysop'] = array(APCOND_ISIP, '141.163.4.11'); > Wait, what? MediaWiki supports that?! You should not do that.
> However, when I log in and look at the special user rights management > page for my own userid, I see that I am in no specific group except for > the implied group of 'autoconfirmed users' and Administrators. There are > checkboxes for the Administrators, Bureaucrats and 'editor' groups, but > none of them are ticked. If I tick a checkbox, and then click save, it > says the setting has been saved but unchecks the checkbox again. > It sounds like UserRights can't reasonably handle groups that are both implied (e.g. by autopromotion) and actually grant-able to specific users (where the target user already has implied access?). I'm not entirely surprised - I'm not sure we officially support that configuration? > Secondly, and more worryingly, is that if I log in using the > 141.163.4.11 IP address, and look at the special user rights page, it > shows everyone as being in the 'Administrators' (sysop) group! If I take > out the autopromote from the LocalSettings file, then no-one (other than > the original account created during installation) is shown as being in > the Administrators group. Very strange. > Okay, matching APCOND_ISIP (and APCOND_IPINRANGE) is based on checking $user->getRequest()->getIP(). But take a look at what User::getRequest does: https://phabricator.wikimedia.org/diffusion/MW/browse/master/includes/User.php;db00239568969a41148cfdec0a77436f73fe802d$3182 So it'll determine every user's eligibility for autopromotion... Using the current requester's IP. Depending on who requests a page (or indeed, from which IP), the wiki will have different admins. That's ridiculous. There probably can't be much more useful behaviour from User::getRequest - a user doesn't have an assigned IP address, and could have made different sorts of actions from different IPs (log in, edit, etc.) - you wouldn't want to autopromote any user account that's ever logged in from that Plymouth University IP, for example. All we can do is look at the current requester's IP. I wonder why we're not just throwing an exception when code tries to call User::getRequest for a User other than the one making the request... Maybe we just shouldn't even have a User::getRequest function at all. Alex. _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
