Last modified: 2014-09-17 20:32:53 UTC
On #wikimedia-labs, we got a report of someone getting Upload failed! Your IP address has been blocked automatically, because it was used by a blocked user while using croptool (https://tools.wmflabs.org/croptool/). I could reproduce this at the time of this bug. This suggests the IP of the web server (or some other Tool Labs server) is autoblocked, and this no-one can edit via oauth. Croptool is running on tools-webgrid-02, but testing manually with wget wget "https://commons.wikimedia.org/w/index.php?title=User_talk:Valhallasw&action=edit" the returned html does not suggest the user is blocked: http://tools.wmflabs.org/jira-bugimport/editpage.html I'm not sure if the correct course of action would be to ip-block-exempt all 10.* IP's, or to have OAuth edits be autoblock exempt by default.
I think the community needs tools to block misbehaving OAuth apps. We probably need to keep a list of IP addresses in use by them so autoblocks or accidental IP blocks don't happen. But I think a blanked exemption for OAuth would open us up for abuse.
WMF Range whitelisted on Commons. [1] https://commons.wikimedia.org/w/index.php?title=MediaWiki:Autoblock_whitelist&action=history
Again problems [2], therefore i [2] whitelisted 10.0.0.0/8 subnet. OAuth is using by default the toolslabs ip? If yes this need a fix. [1] https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_%28technical%29&oldid=625816502#Blocked_user_logging_in_through_OAuth_causing_an_autoblock [2]https://commons.wikimedia.org/w/index.php?title=MediaWiki%3AAutoblock_whitelist&diff=134709271&oldid=129995409
(In reply to Steinsplitter from comment #3) > OAuth is using by default the toolslabs ip? No, it's not. But just like with a bot, the servers see the request coming from the IP address of the machine the OAuth-using tool is actually running on (e.g. Tool Labs) because that actually *is* the IP address the request is coming from. See bug 70885 for details on why that's not going to change.
Hm, there must better ways to block misbehaving OAuth apps than to use IP blocks? Such as removing the authorization.
(In reply to Dan Michael Heggø from comment #5) > Hm, there must better ways to block misbehaving OAuth apps than to use IP > blocks? Such as removing the authorization. Yes, the app's key can be revoked: * Find the app in https://www.mediawiki.org/wiki/Special:OAuthManageConsumers/approved * Click "review/manage" * Select the "Disabled" radio option The app can be re-enabled by resetting it to "Approved", so definitely be bold if it looks like the entire app is misbehaving.
(In reply to Chris Steipp from comment #6) > Yes, the app's key can be revoked I get a permission error when trying to access the cited page. Maybe implement a way so communities can block OAuth Apps they don't like?
(In reply to Rainer Rillke @commons.wikimedia from comment #7) > I get a permission error when trying to access the cited page. Maybe > implement a way so communities can block OAuth Apps they don't like? Stewards have the right, since it blocks the app across all wikis. It's an interesting idea, being able to block a specific app on a specific wiki. If there's a need for that feature it could probably be done without too much work. Maybe open a separate bug if you think it's a feature that several wikis would like.
