Brion Vibber wrote:
The Cunctator wrote:
I assume that sysops can be banned through this
interface as well.
Yes; one sysop having fun could ban all other existing user accounts and
finally him/herself. That would be a pretty silly thing to do, though.
Tsk tsk, don't you people read? ;) I said:
:As usual, these automatically generated entries, and the original
:username entries, can be unblocked by any sysop (even blocked sysops).
Blocking by username or IP address only stops the user from editing
pages, it does not stop them from blocking or unblocking people. Mav has
been known to block himself at times, in an attempt to discourage
himself from wasting all his time on this rather addictive website. Now
he'll be able to block himself by username, he won't have to go to the
trouble of looking up his IP address.
The
hack sounds pretty ugly. Banning by username should be done by banning
through the login (i.e. the cookies) not by checking IP.
Username banning bans the username only, or rather it _did_. (There was
no user interface for doing it, so sysops could not do so.)
Since it's trivial to log out and make a new account, Tim's patch also
adds a check for the IP address when the banned user next tries to edit
(and would thus discover they were banned) and add the IP address to the
ban list as well. Thus a logout/login-with-new-name would be banned too.
So all one has to do is log out _and_ change IP addresses. (A few
seconds, click a couple buttons for many people with dynamic IPs.)
Create a new account name under the new IP, and go wild.
I don't think most vandals would know how to change their IP address
easily. But even if they did, this modification makes things much harder
for them, and much easier for us.
One might gain a slight additional protection by
setting a "you're
banned" note in the session data or a separate cookie instead of (or in
addition to) banning the IP. The bannee could clear their cookies or
restart their brower to clear it.
That's possible, but I'm happy to wait and see how effective the current
measures are. Banning with cookies could cause problems for Internet
cafes, because it would be difficult to lift the ban after a complaint.
Have these
changes been checked in?
In the development branch.
This is not something that should go live without
discussion on the main
mailing list.
It's been discussed before, many times. That's why Tim wrote some up,
because it was discussed and many people were in favor. Of course it'll
be discussed some more, and anyway this certainly isn't appropriate
without also having automatic expiration of blocks.
Automatic expiration? Piece of cake, give me 24 hours. Any suggestions
for the lifetime?
-- Tim Starling.