The Cunctator wrote:
I assume that sysops can be banned through this
interface as well.
Yes; one sysop having fun could ban all other existing user accounts and
finally him/herself. That would be a pretty silly thing to do, though.
The
hack sounds pretty ugly. Banning by username should be done by banning
through the login (i.e. the cookies) not by checking IP.
Username banning bans the username only, or rather it _did_. (There was
no user interface for doing it, so sysops could not do so.)
Since it's trivial to log out and make a new account, Tim's patch also
adds a check for the IP address when the banned user next tries to edit
(and would thus discover they were banned) and add the IP address to the
ban list as well. Thus a logout/login-with-new-name would be banned too.
So all one has to do is log out _and_ change IP addresses. (A few
seconds, click a couple buttons for many people with dynamic IPs.)
Create a new account name under the new IP, and go wild.
One might gain a slight additional protection by setting a "you're
banned" note in the session data or a separate cookie instead of (or in
addition to) banning the IP. The bannee could clear their cookies or
restart their brower to clear it.
Have these changes been checked in?
In the development branch.
This is not something that should go live without
discussion on the main
mailing list.
It's been discussed before, many times. That's why Tim wrote some up,
because it was discussed and many people were in favor. Of course it'll
be discussed some more, and anyway this certainly isn't appropriate
without also having automatic expiration of blocks.
-- brion vibber (brion @
pobox.com)