User:DWalden (WMF)/Blocking
Types of block
edit- Account block
- Special:Block against a user account. These may also be referred to as "Database account blocks".
- Autoblock
- When creating an account block, you can optionally check an option
Automatically block the last IP address used by this user...
. This creates an IP block against the IP of the account. This differs from a normal IP block because it is not meant to show information about an account's IP. The account needs to have performed some action first (e.g. editing a page) in order for the system to know what their IP address is. See Autoblock.
- Hidden block
- For a Special:Block account block or autoblock which has an indefinite expiry you can check the option
Hide username from edits and lists
. Only users with the hideuser right (on enwiki this is users in the Oversighters group) will be able to see these blocks in Special:BlockList, Special:Log/block (and perhaps other places) and the account name will be hidden from normal users (e.g. in revision history).
- IP block
- Special:Block against an IP (e.g.
1.2.3.4
,2001:470:8b2e:89::
). These may also be referred to as "Database IP blocks".
- Range block
- Special:Block against an IP range (e.g.
1.2.3.4/18
,2001:470:8b2e:89::/64
). These may also be referred to as "Database range blocks".
- Global IP
- Special:GlobalBlock against an IP.
- Global Range
- Special:GlobalBlock against an IP range.
- System block
- There are several configuration variables which can block IP addresses/ranges. Add these to
LocalSettings.php
:- $wgProxyList
- $wgSoftBlockRanges
- $wgDnsBlacklistUrls (to block all IPs, set
$wgDnsBlacklistUrls = [ 'nip.io.' ];
. Remember to also set$wgEnableDnsBlacklist = true;
.)
N.B. There are other types of blocks which I haven't listed above, e.g. Extension:TorBlock, Extension:RegexBlock, Extension:BulkBlock.
Ways blocks can be applied
edit- Logged in
- If you have an account block or autoblock applied to an account you are logged in as.
- Public IP
- Your public IP address is blocked.
- Cookie
-
- If you login to an account which has an autoblock you will have a cookie added to your browser. Even if you log out, the account block will still be applied to you, until the cookie expires. See $wgCookieSetOnAutoblock and Autoblock#Tracking.
- A similar thing will happen if you attempt an action with a blocked IP, see $wgCookieSetOnIpBlock.
- X-Forward-For (XFF)
- If a blocked IP address is in your XFF header and
$wgApplyIpBlocksToXff
is true.
Block parameters
editFor some types of blocks (esp. database blocks) what exactly a user is blocked from can be determined when creating the block. For example, we can decide whether we want to block users from sending an email.
- Anonymous
- For database and global blocks we can choose whether the block applies only to anonymous (IP) users or to both anonymous and logged in users.
Important things to know
edit- Partial block
- When creating an Account, IP or Range block in Special:Block, you can check the radio button
Partial
. This then gives you the option to block editing of only certain pages and/or namespaces and/or doing certain actions. You might want to add$wgEnablePartialActionBlocks = true;
to yourLocalSettings.php
to be able to block other actions.
- Composite block
- When you have multiple types of blocks applied to you, the software will create a "composite block". You cannot create these directly. Instead, you need to create multiple individual blocks which affect the same user. For example, you can block someone's account and their IP, or have a Global block and an IP block against the same IP. A composite block can include database blocks, system blocks and Global blocks and those blocks can be applied based on the account, IP, cookie or XFF header.
The above two interact with one another. For example, if I have a partial block against my account blocking me from editing "Page A" and a partial block against my IP blocking me from editing "Page B", this will form a composite block where I will be blocked from editing both "Page A" and "Page B". It will always apply the most strict restrictions of all the individual blocks.
Which actions are blocked for whom
editCreate account | Edit | ||||||
---|---|---|---|---|---|---|---|
Block | IP | Named | XFF IP | XFF Named | |||
IP or Range | Blocked | Blocked | Blocked | Allowed | |||
Global IP or Range | Blocked | Allowed | Blocked | Allowed | |||
$wgSoftBlockRanges | Allowed | Allowed | Allowed | Allowed | |||
$wgDnsBlacklistUrls | Blocked | Blocked[1] | Don't know | Don't know |
- ↑ Even if user has
ipblock-exempt
right.
Block messages
editThere are a variety of different messages you should see when you are blocked and attempting to perform an action you are blocked from doing.
It is sometimes useful to be able to identify which message you are seeing by its internal name. You can see this by adding uselang=qqx
to the URL.
Test tools and scripts
editSee https://gitlab.wikimedia.org/dwalden/block-testing/-/tree/main.
Simulate a different IP address locally (on docker)
editAdd this to LocalSettings.php
:
$wgCdnServersNoPurge = [ '172.0.0.1/8' ];
$wgUsePrivateIPs = true;
Install a browser extension which allows you to change your X-Forward-For header. For example, this one for Firefox or Chrome.
Follow the instructions provided by the addon to change your X-Forward-For header to the IP you want to simulate.
Then interact with the wiki as usual.
Example matrix of test block scenarios
editDue to the fact that composite blocks can apply multiple blocks at the same time, there are a large number of possible combinations of blocks a user can have affecting them at any one time. Below is just a small sample. Create your own combinations you think represent realistic or interesting scenarios.
# | Account block | Autoblock | IP block | Range block | Global IP | Global Range | System block |
---|---|---|---|---|---|---|---|
1 | Logged in | Public IP | |||||
2 | Public IP | Public IP | |||||
3 | Cookie | XFF |
Description of example scenarios
edit- You are logged in an account which is blocked (but not autoblocked) and your public IP is also globally blocked.
- You share the same public IP as an account which is autoblocked and that IP is also in a globally blocked range.
- You have just logged out of an account which is autoblocked (so a cookie has been set on your browser) and you have an IP address in your XFF header which is in a globally blocked range.