Jump to content

User:DWalden (WMF)/T324603

From mediawiki.org

Permissions and Validation

[edit]

(N.B. Each row may represent more than on test condition)

Performer Rights Prefs Blocked Target Type Suppressed Revision Result
Admin all except cta[1] n/a no *Unregistered {1,2,3}, Admin Mixed mixed mixed "You do not have permission to perform the action"
Adam none n/a no *Unregistered {1,2,3}, Admin Mixed mixed mixed "You do not have permission to perform the action"
Admin all off no *Unregistered {1,2,3}, Admin Mixed mixed mixed "You do not have permission to perform the action"
Adam cta off no *Unregistered {1,2,3}, Admin Mixed mixed mixed "You do not have permission to perform the action"
Adam cta on no *Unregistered 1 Temp no hidden See IP
Adam cta on no *Unregistered 1 Temp yes suppressed See IP
Admin all on no *Unregistered 1 Temp yes suppressed See IP
Admin all on no *Unregistered 2 Temp no normal See IP
Adam cta on no *Unregistered 2 Temp no normal See IP
Admin all on no *Unregistered 3 Nonexistent n/a n/a "The specified user (*Unregistered 3) does not exist"
Adam cta on no *Unregistered 3 Nonexistent n/a n/a "The specified user (*Unregistered 3) does not exist"
Admin all on no Admin Regular no regular "The specified username (Admin) is invalid"
Adam cta on no Admin Regular no regular "The specified username (Admin) is invalid"
Admin all on no 172.18.0.1 Anon n/a mixed? "The specified username (172.18.0.1) is invalid"
Adam cta on no 172.18.0.1 Anon n/a mixed? "The specified username (172.18.0.1) is invalid"
Admin all on yes *Unregistered {1,2,3}, Admin, 172.18.0.1 Mixed mixed mixed "You do not have permission to perform the action because your account is blocked"
Adam cta on yes *Unregistered {1,2,3}, Admin, 172.18.0.1 Mixed mixed mixed "You do not have permission to perform the action because your account is blocked"
  1. ↑ cta = checkuser-temporary-account

With $wgAutoCreateTempUser['enabled'] = false;

Performer Rights Prefs Blocked Target Type Suppressed Revision Result
Admin all on no 172.18.0.1 Anon no regular "The specified username (172.18.0.1) is invalid"
Admin all on no Admin Regular no regular "The specified username (Admin) is invalid"
Admin all on no *Unregistered 1 Nonexistent n/a n/a "The specified username (*Unregistered 1) is invalid"

Information disclosure

[edit]

Not info disclosure:

  1. I see $ip1 for $rev1 and $tempuser1
  2. Admin suppresses $tempuser1 with autoblock (if this is possible)
  3. I cannot see $ip1 for $rev1, so I conclude $tempuser1 uses $ip1

Not info disclosure:

  1. I see $ip1 for $tempuser1
  2. Admin suppresses $tempuser1 with autoblock (if this is possible)
  3. I cannot see $ip1 for $tempuser1

Info disclosure?:

  1. I see $ip1 for $tempuser1
  2. Admin suppresses $nameduser1 with autoblock on $ip1
  3. I cannot see $ip1 for $tempuser1
    • Except I would not be blocked from $tempuser1 revisions, so I would see $ip1

Info disclosure?:

  1. I see $ip1 for $tempuser1 and $rev1
  2. Admin suppresses $rev1
  3. I cannot see $ip1 for $tempuser1 and $rev1
  4. I know that $ip1 made edit $rev1
    • But I knew that anyway

Info disclosure?:

  1. I see $ip1 for $tempuser1 (but I don't know it is $rev1)
  2. Admin suppresses $rev1
  3. I cannot see $ip1 for $tempuser1
  4. I know that $ip1 made edit $rev1
    • But I could have found that out before with the rev api endpoint