Steward requests/Global permissions

Shortcut: SRGR Please be sure to follow the instructions below: Your request might be rejected if you don't follow the instructions, and not doing so would reflect poorly on your suitability. Please also review the Global rollback policy. Please note that Global rollbackers discussions are not votes. Comments must present specific points in favor of or against a user's approval. Instructions for making a request Before requesting, make sure that: You have sufficient activity to meet the requirements to be allocated the global rollback flag To make a request Copy the template below to the bottom of this section and explain of why you need the access and why you're suitable. === Global rollback for {{subst:u|{{subst:REVISIONUSER}}}} === {{sr-request |status = <!-- don't change this line --> |domain = global <!-- don't change this line --> |user name = {{subst:REVISIONUSER}} <!-- don't change this line unless you're nominating another user --> }} ::''Not ending before {{subst:#time:j F Y H:i|+5 days}} UTC'' The request will be approved if consensus to do so exists after a period of consideration of no less than 5 days (with rare exceptions , no matter how obvious the result may seem). This is not a vote, and all input is welcome. Stewards will determine whether consensus exists; when doing so it is likely that the weight given to the input of those involved in cross-wiki work will be most influential.

Shortcut: SRGS Please be sure to follow the instructions below: Your request might be rejected if you don't follow the instructions, and not doing so would reflect poorly on your suitability. Please also review the Global sysops policy. Stewards When you give someone global sysop rights, please list them on Users with global sysop access and ask them to subscribe to the global sysops mailing list. Please note that Global sysops discussions are not votes. Comments must present specific points in favor of or against a user's approval. Instructions for making a request Before requesting, make sure that: You have a global account ; You are logged in on this wiki, and the account is part of your global account; To make a request Copy the template below to the bottom of this section and explain of why you need the access and why you're suitable. If you previously requested that right, please add a link to the previous discussion(s). === Global sysop for {{subst:u|{{subst:REVISIONUSER}}}} === {{sr-request |status = <!-- don't change this line --> |domain = global <!-- don't change this line --> |user name = {{subst:REVISIONUSER}} <!-- don't change this line unless you're nominating another user --> }} :''Not ending before {{subst:#time:j F Y H:i|+2 week}} UTC'' The request will be approved if consensus to do so exists after a period of consideration of no less than two weeks (no exceptions are allowed no matter how obvious the result may seem). This is not a vote, and all input is welcome. Stewards will determine whether consensus exists; when doing so it is likely that the weight given to the input of those involved in cross-wiki work will be most influential. Please note: Since 2019 all global sysops are required to have two-factor authentication (2FA) enabled.

Global sysop for WhitePhosphorus

Not ending before 12 December 2019 16:44 UTC

Hi. I would like to request for global sysop toolkits to help deal with the spambots and vandals, and do some interface maintenance as well on small wikis.

I have been serving as interface admin and sysop on both zhwiki and zhwikibooks since 2017, which are typical large and small wikis respectively, from that I gained adequate experience mainly on anti-vandalism, abusefilter, templates and interface editing. I'm also a sysop of zhwikiversity but more focus on fighting against occasionally appearing LTAs there. I carried out a lot anti-vandalism work globally especially after obtained global rollback permission on Oct. 2019, with the aid of various handy tools like SWViewer and TwinkleGlobal. You can find me on cvn, gs and stewards IRC channels too.

My language knowledge generally covers Chinese and several of its dialects/variants (besides English for communication), and I live in UTC+8 timezone now (may change in future but will still make up a significant proportion). Thus, I hope I could supply the GS team with more diversity.

I have already enabled 2FA since I'm a local interface admin. Regards, WhitePhosphorus (talk) 16:44, 28 November 2019 (UTC)[reply]

•  Strong support Yes!-MrJaroslavik (talk) 20:52, 28 November 2019 (UTC)[reply]
•  Strong support We need more active and competent GS to counter attacks by LTAs! Keep up the good work! Masum Reza^☎ 22:51, 28 November 2019 (UTC)[reply]
•  Support --Novak Watchmen (talk) 06:17, 29 November 2019 (UTC)[reply]
•  Support -- CptViraj (📧) 08:39, 29 November 2019 (UTC)[reply]
•  Strong support --大诺史 (Talk/留言/토론/Discussion) 08:49, 29 November 2019 (UTC)[reply]
•  Support Obviously capable, with a caveat that if you need to edit interface, that may be out of the traditional scope of GS which is to deal with clear crosswiki vandals and it will be better to apply the Global Interface Editor group as well. Thanks for serving. --Camouflaged Mirage (talk) 13:33, 29 November 2019 (UTC)[reply]
  • Thanks for the admonition, I know the scope and would like to handle some GS wiki interface related requests in SRM (e.g. this and this one) if elected, and will leave it to local IAs if there are active ones. In general, I'd like to serve as a backup IA on small wikis and be called on necessary, but don't have a specific task to deal with so not going to run for GIE yet :) --WhitePhosphorus (talk) 13:52, 29 November 2019 (UTC)[reply]
•  Support Vermont (talk) 15:09, 29 November 2019 (UTC)[reply]
• Support. —Sgd. Hasley 16:27, 29 November 2019 (UTC)[reply]
•  Support per Vermont. -- Несмир Кудилович (разговор) 20:33, 29 November 2019 (UTC)[reply]
•  Support --Rschen7754 20:34, 29 November 2019 (UTC)[reply]
•  Support--eldarado ^✉ 20:53, 29 November 2019 (UTC)[reply]
•  Strong support --94rain ^Talk 08:13, 30 November 2019 (UTC)[reply]
•  Support --Esteban16 (talk) 12:50, 30 November 2019 (UTC)[reply]
•  Support – Ajraddatz (talk) 15:01, 30 November 2019 (UTC)[reply]
•  Support competent and trusted. ‐‐1997kB (talk) 04:33, 1 December 2019 (UTC)[reply]
•  Support --BRP ^ever 04:36, 1 December 2019 (UTC)[reply]
•  Support Valid use case, looks fine to my eyes. Leaderboard (talk) 16:38, 1 December 2019 (UTC)[reply]
•  Support — Tulsi Bhagat (contribs | talk) 03:32, 2 December 2019 (UTC)[reply]
•  Strong support ~riley (talk) 03:35, 2 December 2019 (UTC)[reply]
•  Strong support -J. Ansari Talk 09:00, 2 December 2019 (UTC)[reply]
•  Support--Turkmen ^talk 11:57, 2 December 2019 (UTC)[reply]

Steward requests/Global permissions/Global renamers

Shortcut: SRIPBE Please be sure to follow the instructions below: Your request might be rejected if you don't follow the instructions. Please review Global IP block exemption. You may request Global IP block exemption via stewardswikimedia.org if you can not edit this page. Please note: Global IP block exemption does NOT make one immune to locally-created blocks of any sort, only global blocks. If you want to edit the Chinese Wikipedia, usually global IP block exemptions will not help you. Please see this instruction to request a local IP block exemption. Instructions for making a request Before requesting global IP block exemption, make sure that: You have a global account ; You are logged in on this wiki, and the account is part of your global account; To request global IP block exemption Copy the template below to the bottom of this section and explain why you need the access and why you're suitable. If needed, link to relevant discussions. === Global IP block exempt for {{subst:u|{{subst:REVISIONUSER}}}} === {{sr-request |status = <!--don't change this line--> |domain = global<!--don't change this line--> |user name = {{subst:REVISIONUSER}} }} <Add an explanation here>, thanks, --~~~~ The request will be approved if there is demonstrated need for the permission, such as bypassing a global block from someone who is not the intended target.

Global IP block exempt for IP Range of WikiLoop Battlefield

Statement

I am a developer, and we are building a counter-vandalism tool called WikiLoop Battlefield, and here is its source code. We recently start to roll out Oauth login and in-place revert feature. When we move our test from localhost to our dev and canary(staging) environment, we noticed that we received the following error.

{ "error": { "code": "globalblocking-ipblocked-range", "info": "'''Your IP address is in a range which has been blocked on all wikis.''' The block was made by [//meta.wikimedia.org/wiki/User:Jon_Kolbert Jon Kolbert] (meta.wikimedia.org). The reason given is ''[[NOP|Open Proxy]]: Webhost: Contact [[m:Special:Contact/stewards|stewards]] if you are affected ''. * Start of block: 2019-07-23T12:01:56 * Expiration of block: 2021-01-23T11:01:56 You can contact [//meta.wikimedia.org/wiki/User:Jon_Kolbert Jon Kolbert] to discuss the block. You cannot use the \"Email this user\" feature unless a valid email address is specified in your [[Special:Preferences|account preferences]] and you have not been blocked from using it. Your current IP address is 3.86.232.24, and the blocked range is 3.86.0.0/16. Please include all above details in any queries you make.", "*": "See https://en.wikipedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes." }, "servedby": "mw1346" }

We host our server on Heroku, does it mean that the IP address of heroku is being blocked globally for MediaWiki API? Can we apply to be whitelisted for our legit use-case?

Thank you!

Xinbenlv (talk)

Responses

@Xinbenlv: Heroku is a shared host, and Wikimedia discourages hosting service in third-party shared hosts (it may host VPN or reverse proxy, which can hide users' IP address). You should either:

• Move the project to Toolforge (recommended) or Cloud VPS
• Create a edit service in Toolforge similar to toollabs:widar, and invoke the service (you must use GET or JSONP, Cloud does not support POST from third-party service) in the project (not recommended, this may have security issues)

--GZWDer (talk) 18:41, 17 October 2019 (UTC)[reply]

@GZWDer: thank you.

First sorry I just noticed I didn't use the template (which doesn't apply to IP range extemption for al IPs), I updated it.

Second, here we are building an app that requires a user to login with Oauth. We only conduct edit on-behalf of loged-in users and their username will show up.

3rdly, with respect to your suggestion, We've considered porting the project to Toolforge but we are waiting for the Toolforge to support modern Kubernates https://phabricator.wikimedia.org/T214513.

It is not particularly feasible for all users to rely on IP addresses because as many of people who submit for permissions here, IP addresses are only largely available in USA and a few developed countries who took part in early Internet infrastructure development discussions. Many other countries they have to rely on NAT that shares limited IP addresses. Our app hope to expand to all language locales to help users with counter-vandalism efforts. If we block IP addresses, it will reduce the access of these users from Non-USA/developed countries who would like to help.

In summary, can we apply for unblocking any IP addresses if we have allowed users to identify themselves with login? Thank you!

Xinbenlv (talk) 21:21, 17 October 2019 (UTC)[reply]

all, I don't know who to send this argument to... Xinbenlv (talk) 10:36, 25 October 2019 (UTC)[reply]

I start a discussion en:User:Xinbenlv/Propose:Allow_Login_Users_By_Default_When_IP_Range_Blocked

There is a block configurations to let logged in users edit while on blocked IP: However we usually do not allow it on NOP blocks. We cannot let anyone using your tool be exempt from the block, this is a software restrictions. There's just no way to do that. And since we are not going to unblock AWS — thus Heroku — I think your only bet is to follow GZWDer's advice. — regards, Revi 07:54, 4 November 2019 (UTC)[reply]

@-revi:, @GZWDer: thanks for answering. How about the following solutions sound to admins?

1. if we use certain way to crypt-sign a request from our app's server, can you grant app-specific exception for this use-case? (rather than unblocking all IP-addresses but unblockgin all users who have signed in and use our app)?
2. if we managed to find a fixed IP address, can you unblock individual IP address of the one that we use for our webapp?

Xinbenlv (talk) 22:37, 4 November 2019 (UTC)[reply]

#1: There's no such feature^(tm) to do so. #2: I think I can do that, with two conditions: You notify us when you stop your project (thus releasing the IP to the shared pool) and you absolutely always require authentication. — regards, Revi 04:40, 5 November 2019 (UTC)[reply]

@-revi: thank you! Yes. We are likely to use at most 3 IP addresses at this moment:

• 35.222.141.110 for dev
• 34.67.56.51 for canary (staging)
• 34.69.252.115 for prod

and I agree to both terms: we will absolutely require authentication(in fact you can just allow only login users to edit from these IP addresses) and we will notify you when we stop project and release the IP to the shared pool. (once the Toolforge support mount on Root or custom domain, or we are approved for WMF Cloud VPS)

Xinbenlv (talk) 06:13, 5 November 2019 (UTC)[reply]

Note individual IPs can not be globally whitelisted (phab:T42439). They can only be whitelisted locally.--GZWDer (talk) 19:58, 5 November 2019 (UTC)[reply]

@GZWDer:, thank you!

Do I understand it correctly that both the global and local needs to unblock the IP for any IP address to be used? While I will work on applying for individual local wiki's IP whitelist approve, can I ask why individual IPs can not be globally whitelisted? In particular, is it a policy or a technical reason?

1. If it's a policy, I'd argument by fixing the static IP, it's no longer an Open Proxy since being reserved and occupied by an application, a random internet user cannot use it. Given that we promise that we only authenticate users, it's a fixed set of users (only registered Wikipedian users) rather than open to public.
2. If it's a technical issue, I'd argument previously we are blocking IP range IP1 to IP3, now if we have a static IP2 to unblock, you can block [IP1, IP2), (IP2, IP3]

Dear global admins, what do you think? Thank you!

Xinbenlv (talk) 21:35, 5 November 2019 (UTC)[reply]

Please let me know if there are other information you would love me to provide accompanying this application Xinbenlv (talk) 22:49, 7 November 2019 (UTC)[reply]

It's a technical reason. We simply cannot globally whitelist individual IP addresses, even if we wanted to. Trijnstel_talk 23:06, 9 November 2019 (UTC)[reply]

@Trijnstel: thank you for your answer. Can you help me understand how that is not technically possible? I suggested that you can unblock [IP1, IP2), (IP2, IP3] instead of the range [IP1,IP3]? Or what are alternatives if you could kindly suggest? Xinbenlv (talk) 02:54, 10 November 2019 (UTC)[reply]

@RonaldB: What can you tell me about the IP address 3.86.232.24? Currently the whole /16 IP range has been blocked and I don't think it's possible/desired to unblock a part of it, but perhaps you can advice? Trijnstel_talk 18:47, 10 November 2019 (UTC)[reply]

@RonaldB:, @Trijnstel:, @GZWDer:, @-revi:, thank you, do I understand it correctly that you are helping us to find the technical solutions because there is no other concerns in the policy aspects right? If there are policy concern, could we discuss policy concern in the meanwhile? Xinbenlv (talk) 00:41, 15 November 2019 (UTC)[reply]

@Trijnstel:, the range 3.0.0.0/9 (and that includes 3.86.232.24) belongs to Amazon AWS (not the shop, but the server hosting part of that corporation). That is a very large range and I'm pretty sure that there are thousands of much smaller ranges included, altogether used for cloud hosting/services. On nlwiki I don't block the whole /9, but when I notice abuse and suspect a VPN behind that, I block a /16 within that /9 range. Not sure, but something similar might have happened in this case as well. - Rgds RonaldB (talk) 00:50, 25 November 2019 (UTC)[reply]

Global IP block exempt for 荣智浩

<我是中国大陆用户，需要解锁全域IP>，谢谢, --荣智浩 (talk) 12:11, 14 November 2019 (UTC)[reply]

• @荣智浩:：请使用英文！并说明你需要使用Global IP Block Exemption的必要性。（Please use English! And explain the need for you to use Global IP Block Exemption.）--舞月書生（JoyeZhang）👉☎️👈 ♪My Heart Will Go On 16:17, 14 November 2019 (UTC)[reply]

你确认你遇到的是全域封禁吗？你在commoms上也遇到过这种现象吗？如果没有的话，我建议你在中文维基本地申请IP封禁豁免。另外你需要用英语解释你遇到的情况。—Techyan（Talk） 06:01, 15 November 2019 (UTC)[reply]

• @荣智浩:Are you sure your IP address have been global block? Maybe provide your IP address to confirm will be better. --Streetdeck （Talk） 09:38, 18 November 2019 (UTC)[reply]

Global IP block exempt for Majavah

Hello. I would like to request a global IP block exemption to use a VPN while editing over a public network. I already have local exemption on the English Wikipedia, however I do sometimes need to edit other wikis, such as Commons or Wikidata. Best regards, Majavah (talk) 18:17, 29 November 2019 (UTC)[reply]

Done Ruslik (talk) 21:03, 2 December 2019 (UTC)[reply]

Global IP block exempt for 李瞬生

Hello, I'm a user from Mainland China, where Wikipedia is technically prohibited. I cannont visit the sites without the help of proxy tools. However, all of the tools I can find is blocked from editting Wikipedia. Gained the IPBE of zhwp though, I'm looking forward to a global IPBE to edit any Wikipedia project, especially enwiki and jawiki. Thanks.--李瞬生 (talk) 10:55, 30 November 2019 (UTC)[reply]

Global IP block exempt for 沈澄心

I am a user from Mainland China, so I can't visit some Wikimedia project without the help of proxy tools. I want to contribute to Chinese Wikiquote, which is blocked in Mainland China now, but there is no local IP block exempt policy on that wiki. I also want to edit another Wikipedia project, especially enwiki and jawiki. Could you please give me a global IPBE? Thanks! (I can visit these wikis by using Accesser, with whose help I can edit Wikipedia without IPBE. However, this tool cannot run on Android phones currently.) --沈澄心✉ 05:49, 1 December 2019 (UTC)[reply]

Global IP block exempt for Painjet

I am a user from Mainland China and already have IP block exempt for zh.wikipedia.org. I'd like to upload some pictures to commons.wikipedia.org, where my account has been blocked recently. I will appreciate it if you could give me the Global IP block exempt. --Painjet (talk) 12:13, 2 December 2019 (UTC)[reply]

Please be sure to follow the instructions below: Your request might be rejected if you don't follow the instructions. Testing this service may result in the loss of your access and is not recommended for inexperienced users. Instructions for making a request Before requesting 2FA tester global permissions, make sure that: You are logged in on this wiki; You have read the help page about two-factor authentication and understand how it could lead to irrecoverable loss of access to your account ; To request 2FA tester global permissions Copy the template below to the bottom of this section and INDICATE you have read the Help page. If the request page is currently protected, please file as an edit request on the talk page. === 2FA Tester for {{subst:u|{{subst:REVISIONUSER}}}} === {{sr-request |status = <!--don't change this line--> |domain = global <!--don't change this line--> |user name = {{subst:REVISIONUSER}} }} <Add an explanation here>, thanks, --~~~~ The request will be approved if there is no reason not to grant one. A steward will review the request.

Please be sure to follow the instructions below: Your request might be rejected if you don't follow the instructions. Instructions for making a request Before requesting additional global permissions, make sure that: You are logged in on this wiki; No specific section on this page exists for the permission you want to request; To request additional global permissions Copy the template below to the bottom of this section and explain what kind of access you need and why. If needed, link to relevant discussions. If you hold, or have previously held, the right and are asking for either a renewal or revival of that right, please add a link to the previous discussion. === <Add requested permission here> for [[User:Foo|Foo]] === {{sr-request |status = <!--don't change this line--> |domain = global<!--don't change this line--> |user name = Username |discussion= }} <Add an explanation here>, thanks, --~~~~ The request will be approved if consensus to do so exists after a short period of consideration. A steward will review the request.

remove global OTRS member for Xxmarijnw

Thanks, --Krd 08:35, 1 December 2019 (UTC)[reply]

Done.--HakanIST (talk) 12:27, 1 December 2019 (UTC)[reply]

Remove global renamer and global rollback for Renamed user uofgjwfojfowubwofemipvwjboiw

Vanished accounts should not be used. I propose to remove the user's global renamer and global rollback flag. It may be restored if the user returns. --GZWDer (talk) 14:05, 2 December 2019 (UTC)[reply]

Please also remove global OTRS member. --Krd 14:16, 2 December 2019 (UTC)[reply]

And please delete my user page, user talk page and rights in all wiki if you can. Sorry I have to request this because of safe. Thank you. --Catherine Laurence ^discussion 14:50, 2 December 2019 (UTC)[reply]

Synchbox can be used for the deletions --DannyS712 (talk) 16:55, 2 December 2019 (UTC)[reply]

• User groups — Information on user groups
• Global rights log — Log of global permissions changes
• Archives
  • 2024: 01, 02, 03, 04, 05