(CCing wikitech-l)
On 28 February 2015 at 01:04, John Horne <[email protected]> wrote:
>
> $wgAutopromote['sysop'] = array(APCOND_ISIP, '141.163.4.11');
>
Wait, what? MediaWiki supports that?! You should not do that.


> However, when I log in and look at the special user rights management
> page for my own userid, I see that I am in no specific group except for
> the implied group of 'autoconfirmed users' and Administrators. There are
> checkboxes for the Administrators, Bureaucrats and 'editor' groups, but
> none of them are ticked. If I tick a checkbox, and then click save, it
> says the setting has been saved but unchecks the checkbox again.
>
It sounds like UserRights can't reasonably handle groups that are both
implied (e.g. by autopromotion) and actually grant-able to specific users
(where the target user already has implied access?). I'm not entirely
surprised - I'm not sure we officially support that configuration?


> Secondly, and more worryingly, is that if I log in using the
> 141.163.4.11 IP address, and look at the special user rights page, it
> shows everyone as being in the 'Administrators' (sysop) group! If I take
> out the autopromote from the LocalSettings file, then no-one (other than
> the original account created during installation) is shown as being in
> the Administrators group. Very strange.
>
Okay, matching APCOND_ISIP (and APCOND_IPINRANGE) is based on checking
$user->getRequest()->getIP().
But take a look at what User::getRequest does:
https://phabricator.wikimedia.org/diffusion/MW/browse/master/includes/User.php;db00239568969a41148cfdec0a77436f73fe802d$3182
So it'll determine every user's eligibility for autopromotion... Using the
current requester's IP. Depending on who requests a page (or indeed, from
which IP), the wiki will have different admins. That's ridiculous.

There probably can't be much more useful behaviour from User::getRequest -
a user doesn't have an assigned IP address, and could have made different
sorts of actions from different IPs (log in, edit, etc.) - you wouldn't
want to autopromote any user account that's ever logged in from that
Plymouth University IP, for example. All we can do is look at the current
requester's IP.
I wonder why we're not just throwing an exception when code tries to call
User::getRequest for a User other than the one making the request... Maybe
we just shouldn't even have a User::getRequest function at all.

Alex.
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Reply via email to