SECURITY: API: Respect $wgBlockCIDRLimit in action=block

$wgBlockCIDRLimit states how large rangeblocks are allowed to be for IPv4
and IPv6. The API now calls SpecialBlock::validateTarget() to perform
that validation step.

As a minor thing, SpecialBlock::checkUnblockSelf() is now called twice by
the API, but that can probably be cleaned up at another time.

Tests included.

Bug: T199540
Change-Id: Ic7d60240d9ebd9580c0eb3b41e4befceab69bd81

diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php
index 8f40283..85dd2c7 100644 (file)
--- a/includes/api/ApiBlock.php
+++ b/includes/api/ApiBlock.php
@@ -109,6 +109,11 @@ class ApiBlock extends ApiBase {
                        'Tags' => $params['tags'],
                ];
 
+               $status = SpecialBlock::validateTarget( $params['user'], $user );
+               if ( !$status->isOK() ) {
+                       $this->dieStatus( $status );
+               }
+
                $retval = SpecialBlock::processForm( $data, $this->getContext() );
                if ( $retval !== true ) {
                        $this->dieStatus( $this->errorArrayToStatus( $retval ) );

diff --git a/tests/phpunit/includes/api/ApiBlockTest.php b/tests/phpunit/includes/api/ApiBlockTest.php
index 374ea3c..efefc09 100644 (file)
--- a/tests/phpunit/includes/api/ApiBlockTest.php
+++ b/tests/phpunit/includes/api/ApiBlockTest.php
@@ -14,6 +14,10 @@ class ApiBlockTest extends ApiTestCase {
                parent::setUp();
 
                $this->mUser = $this->getMutableTestUser()->getUser();
+               $this->setMwGlobals( 'wgBlockCIDRLimit', [
+                       'IPv4' => 16,
+                       'IPv6' => 19,
+               ] );
        }
 
        protected function tearDown() {
@@ -41,7 +45,6 @@ class ApiBlockTest extends ApiTestCase {
                $tokens = $this->getTokens();
 
                $this->assertNotNull( $this->mUser, 'Sanity check' );
-               $this->assertNotSame( 0, $this->mUser->getId(), 'Sanity check' );
 
                $this->assertArrayHasKey( 'blocktoken', $tokens, 'Sanity check' );
 
@@ -232,4 +235,18 @@ class ApiBlockTest extends ApiTestCase {
                        self::$users['sysop']->getUser()
                );
        }
+
+       public function testRangeBlock() {
+               $this->mUser = User::newFromName( '128.0.0.0/16', false );
+               $this->doBlock();
+       }
+
+       /**
+        * @expectedException ApiUsageException
+        * @expectedExceptionMessage Range blocks larger than /16 are not allowed.
+        */
+       public function testVeryLargeRangeBlock() {
+               $this->mUser = User::newFromName( '128.0.0.0/1', false );
+               $this->doBlock();
+       }
 }