Steward requests/Global permissions

Shortcut: SRGR Please be sure to follow the instructions below: Your request might be rejected if you don't follow the instructions, and not doing so would reflect poorly on your suitability. Please also review the Global rollback policy. Please note that Global rollbackers discussions are not votes. Comments must present specific points in favor of or against a user's approval. Instructions for making a request Before requesting, make sure that: You have sufficient activity to meet the requirements to be allocated the global rollback flag To make a request Copy the template below to the bottom of this section and explain of why you need the access and why you're suitable. === Global rollback for {{subst:u|{{subst:REVISIONUSER}}}} === {{sr-request |status = <!-- don't change this line --> |domain = global <!-- don't change this line --> |user name = {{subst:REVISIONUSER}} <!-- don't change this line unless you're nominating another user --> }} ::''Not ending before {{subst:#time:j F Y H:i|+5 days}} UTC'' The request will be approved if consensus to do so exists after a period of consideration of no less than 5 days (with rare exceptions , no matter how obvious the result may seem). This is not a vote, and all input is welcome. Stewards will determine whether consensus exists; when doing so it is likely that the weight given to the input of those involved in cross-wiki work will be most influential.

Shortcut: SRGS Please be sure to follow the instructions below: Your request might be rejected if you don't follow the instructions, and not doing so would reflect poorly on your suitability. Please also review the Global sysops policy. Stewards When you give someone global sysop rights, please list them on Users with global sysop access and ask them to subscribe to the global sysops mailing list. Please note that Global sysops discussions are not votes. Comments must present specific points in favor of or against a user's approval. Instructions for making a request Before requesting, make sure that: You have a global account ; You are logged in on this wiki, and the account is part of your global account; To make a request Copy the template below to the bottom of this section and explain of why you need the access and why you're suitable. If you previously requested that right, please add a link to the previous discussion(s). === Global sysop for {{subst:u|{{subst:REVISIONUSER}}}} === {{sr-request |status = <!-- don't change this line --> |domain = global <!-- don't change this line --> |user name = {{subst:REVISIONUSER}} <!-- don't change this line unless you're nominating another user --> }} :''Not ending before {{subst:#time:j F Y H:i|+2 week}} UTC'' The request will be approved if consensus to do so exists after a period of consideration of no less than two weeks (no exceptions are allowed no matter how obvious the result may seem). This is not a vote, and all input is welcome. Stewards will determine whether consensus exists; when doing so it is likely that the weight given to the input of those involved in cross-wiki work will be most influential. Please note: Since 2019 all global sysops are required to have two-factor authentication (2FA) enabled.

Global sysop for WhitePhosphorus

Not ending before 12 December 2019 16:44 UTC

Hi. I would like to request for global sysop toolkits to help deal with the spambots and vandals, and do some interface maintenance as well on small wikis.

I have been serving as interface admin and sysop on both zhwiki and zhwikibooks since 2017, which are typical large and small wikis respectively, from that I gained adequate experience mainly on anti-vandalism, abusefilter, templates and interface editing. I'm also a sysop of zhwikiversity but more focus on fighting against occasionally appearing LTAs there. I carried out a lot anti-vandalism work globally especially after obtained global rollback permission on Oct. 2019, with the aid of various handy tools like SWViewer and TwinkleGlobal. You can find me on cvn, gs and stewards IRC channels too.

My language knowledge generally covers Chinese and several of its dialects/variants (besides English for communication), and I live in UTC+8 timezone now (may change in future but will still make up a significant proportion). Thus, I hope I could supply the GS team with more diversity.

I have already enabled 2FA since I'm a local interface admin. Regards, WhitePhosphorus (talk) 16:44, 28 November 2019 (UTC)[reply]

•  Strong support Yes!-MrJaroslavik (talk) 20:52, 28 November 2019 (UTC)[reply]
•  Strong support We need more active and competent GS to counter attacks by LTAs! Keep up the good work! Masum Reza^☎ 22:51, 28 November 2019 (UTC)[reply]
•  Support --Novak Watchmen (talk) 06:17, 29 November 2019 (UTC)[reply]
•  Support -- CptViraj (📧) 08:39, 29 November 2019 (UTC)[reply]
•  Strong support --大诺史 (Talk/留言/토론/Discussion) 08:49, 29 November 2019 (UTC)[reply]
•  Support Obviously capable, with a caveat that if you need to edit interface, that may be out of the traditional scope of GS which is to deal with clear crosswiki vandals and it will be better to apply the Global Interface Editor group as well. Thanks for serving. --Camouflaged Mirage (talk) 13:33, 29 November 2019 (UTC)[reply]
  • Thanks for the admonition, I know the scope and would like to handle some GS wiki interface related requests in SRM (e.g. this and this one) if elected, and will leave it to local IAs if there are active ones. In general, I'd like to serve as a backup IA on small wikis and be called on necessary, but don't have a specific task to deal with so not going to run for GIE yet :) --WhitePhosphorus (talk) 13:52, 29 November 2019 (UTC)[reply]
•  Support Vermont (talk) 15:09, 29 November 2019 (UTC)[reply]
• Support. —Sgd. Hasley 16:27, 29 November 2019 (UTC)[reply]
•  Support per Vermont. -- Несмир Кудилович (разговор) 20:33, 29 November 2019 (UTC)[reply]
•  Support --Rschen7754 20:34, 29 November 2019 (UTC)[reply]
•  Support--eldarado ^✉ 20:53, 29 November 2019 (UTC)[reply]
•  Strong support --94rain ^Talk 08:13, 30 November 2019 (UTC)[reply]
•  Support --Esteban16 (talk) 12:50, 30 November 2019 (UTC)[reply]
•  Support – Ajraddatz (talk) 15:01, 30 November 2019 (UTC)[reply]
•  Support competent and trusted. ‐‐1997kB (talk) 04:33, 1 December 2019 (UTC)[reply]
•  Support --BRP ^ever 04:36, 1 December 2019 (UTC)[reply]
•  Support Valid use case, looks fine to my eyes. Leaderboard (talk) 16:38, 1 December 2019 (UTC)[reply]
•  Support — Tulsi Bhagat (contribs | talk) 03:32, 2 December 2019 (UTC)[reply]
•  Strong support ~riley (talk) 03:35, 2 December 2019 (UTC)[reply]
•  Strong support -J. Ansari Talk 09:00, 2 December 2019 (UTC)[reply]
•  Support--Turkmen ^talk 11:57, 2 December 2019 (UTC)[reply]
•  Support Trusted --Geonuch (talk) 04:11, 3 December 2019 (UTC)[reply]
•  Support Jianhui67 ^{talk★contribs} 11:21, 4 December 2019 (UTC)[reply]
•  Support No red flags, trusted. --Kostas20142 (talk) 20:24, 4 December 2019 (UTC)[reply]
•  Support(o´ω`o)و盯白磷--Zyksnowy (talk) 15:35, 5 December 2019 (UTC)[reply]
•  Support – Ammarpad (talk) 18:38, 5 December 2019 (UTC)[reply]
•  Support -FASTILY 03:14, 6 December 2019 (UTC)[reply]
•  Support sysop on significant project. Global sysop is not a big deal at all, so should be granted on request when there is a potential use and trust has been established in the primary language group. TonyBallioni (talk) 23:09, 7 December 2019 (UTC)[reply]
• Thank you for your helping. --Sotiale (talk) 14:19, 8 December 2019 (UTC)[reply]

  @Sotiale: I take it you support this candidate? Masum Reza^☎ 14:31, 8 December 2019 (UTC)[reply]

  Of course, my opinion is in favor. Stewards can know my opinion without {{s}} template. --Sotiale (talk) 14:39, 8 December 2019 (UTC)[reply]

Steward requests/Global permissions/Global renamers

Shortcut: SRIPBE Please be sure to follow the instructions below: Your request might be rejected if you don't follow the instructions. Please review Global IP block exemption. You may request Global IP block exemption via stewardswikimedia.org if you can not edit this page. Please note: Global IP block exemption does NOT make one immune to locally-created blocks of any sort, only global blocks. If you want to edit the Chinese Wikipedia, usually global IP block exemptions will not help you. Please see this instruction to request a local IP block exemption. Instructions for making a request Before requesting global IP block exemption, make sure that: You have a global account ; You are logged in on this wiki, and the account is part of your global account; To request global IP block exemption Copy the template below to the bottom of this section and explain why you need the access and why you're suitable. If needed, link to relevant discussions. === Global IP block exempt for {{subst:u|{{subst:REVISIONUSER}}}} === {{sr-request |status = <!--don't change this line--> |domain = global<!--don't change this line--> |user name = {{subst:REVISIONUSER}} }} <Add an explanation here>, thanks, --~~~~ The request will be approved if there is demonstrated need for the permission, such as bypassing a global block from someone who is not the intended target.

Global IP block exempt for IP Range of WikiLoop Battlefield

Statement

I am a developer, and we are building a counter-vandalism tool called WikiLoop Battlefield, and here is its source code. We recently start to roll out Oauth login and in-place revert feature. When we move our test from localhost to our dev and canary(staging) environment, we noticed that we received the following error.

{ "error": { "code": "globalblocking-ipblocked-range", "info": "'''Your IP address is in a range which has been blocked on all wikis.''' The block was made by [//meta.wikimedia.org/wiki/User:Jon_Kolbert Jon Kolbert] (meta.wikimedia.org). The reason given is ''[[NOP|Open Proxy]]: Webhost: Contact [[m:Special:Contact/stewards|stewards]] if you are affected ''. * Start of block: 2019-07-23T12:01:56 * Expiration of block: 2021-01-23T11:01:56 You can contact [//meta.wikimedia.org/wiki/User:Jon_Kolbert Jon Kolbert] to discuss the block. You cannot use the \"Email this user\" feature unless a valid email address is specified in your [[Special:Preferences|account preferences]] and you have not been blocked from using it. Your current IP address is 3.86.232.24, and the blocked range is 3.86.0.0/16. Please include all above details in any queries you make.", "*": "See https://en.wikipedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes." }, "servedby": "mw1346" }

We host our server on Heroku, does it mean that the IP address of heroku is being blocked globally for MediaWiki API? Can we apply to be whitelisted for our legit use-case?

Thank you!

Xinbenlv (talk)

Responses

@Xinbenlv: Heroku is a shared host, and Wikimedia discourages hosting service in third-party shared hosts (it may host VPN or reverse proxy, which can hide users' IP address). You should either:

• Move the project to Toolforge (recommended) or Cloud VPS
• Create a edit service in Toolforge similar to toollabs:widar, and invoke the service (you must use GET or JSONP, Cloud does not support POST from third-party service) in the project (not recommended, this may have security issues)

--GZWDer (talk) 18:41, 17 October 2019 (UTC)[reply]

@GZWDer: thank you.

First sorry I just noticed I didn't use the template (which doesn't apply to IP range extemption for al IPs), I updated it.

Second, here we are building an app that requires a user to login with Oauth. We only conduct edit on-behalf of loged-in users and their username will show up.

3rdly, with respect to your suggestion, We've considered porting the project to Toolforge but we are waiting for the Toolforge to support modern Kubernates https://phabricator.wikimedia.org/T214513.

It is not particularly feasible for all users to rely on IP addresses because as many of people who submit for permissions here, IP addresses are only largely available in USA and a few developed countries who took part in early Internet infrastructure development discussions. Many other countries they have to rely on NAT that shares limited IP addresses. Our app hope to expand to all language locales to help users with counter-vandalism efforts. If we block IP addresses, it will reduce the access of these users from Non-USA/developed countries who would like to help.

In summary, can we apply for unblocking any IP addresses if we have allowed users to identify themselves with login? Thank you!

Xinbenlv (talk) 21:21, 17 October 2019 (UTC)[reply]

all, I don't know who to send this argument to... Xinbenlv (talk) 10:36, 25 October 2019 (UTC)[reply]

I start a discussion en:User:Xinbenlv/Propose:Allow_Login_Users_By_Default_When_IP_Range_Blocked

There is a block configurations to let logged in users edit while on blocked IP: However we usually do not allow it on NOP blocks. We cannot let anyone using your tool be exempt from the block, this is a software restrictions. There's just no way to do that. And since we are not going to unblock AWS — thus Heroku — I think your only bet is to follow GZWDer's advice. — regards, Revi 07:54, 4 November 2019 (UTC)[reply]

@-revi:, @GZWDer: thanks for answering. How about the following solutions sound to admins?

1. if we use certain way to crypt-sign a request from our app's server, can you grant app-specific exception for this use-case? (rather than unblocking all IP-addresses but unblockgin all users who have signed in and use our app)?
2. if we managed to find a fixed IP address, can you unblock individual IP address of the one that we use for our webapp?

Xinbenlv (talk) 22:37, 4 November 2019 (UTC)[reply]

#1: There's no such feature^(tm) to do so. #2: I think I can do that, with two conditions: You notify us when you stop your project (thus releasing the IP to the shared pool) and you absolutely always require authentication. — regards, Revi 04:40, 5 November 2019 (UTC)[reply]

@-revi: thank you! Yes. We are likely to use at most 3 IP addresses at this moment:

• 35.222.141.110 for dev
• 34.67.56.51 for canary (staging)
• 34.69.252.115 for prod

and I agree to both terms: we will absolutely require authentication(in fact you can just allow only login users to edit from these IP addresses) and we will notify you when we stop project and release the IP to the shared pool. (once the Toolforge support mount on Root or custom domain, or we are approved for WMF Cloud VPS)

Xinbenlv (talk) 06:13, 5 November 2019 (UTC)[reply]

Note individual IPs can not be globally whitelisted (phab:T42439). They can only be whitelisted locally.--GZWDer (talk) 19:58, 5 November 2019 (UTC)[reply]

@GZWDer:, thank you!

Do I understand it correctly that both the global and local needs to unblock the IP for any IP address to be used? While I will work on applying for individual local wiki's IP whitelist approve, can I ask why individual IPs can not be globally whitelisted? In particular, is it a policy or a technical reason?

1. If it's a policy, I'd argument by fixing the static IP, it's no longer an Open Proxy since being reserved and occupied by an application, a random internet user cannot use it. Given that we promise that we only authenticate users, it's a fixed set of users (only registered Wikipedian users) rather than open to public.
2. If it's a technical issue, I'd argument previously we are blocking IP range IP1 to IP3, now if we have a static IP2 to unblock, you can block [IP1, IP2), (IP2, IP3]

Dear global admins, what do you think? Thank you!

Xinbenlv (talk) 21:35, 5 November 2019 (UTC)[reply]

Please let me know if there are other information you would love me to provide accompanying this application Xinbenlv (talk) 22:49, 7 November 2019 (UTC)[reply]

It's a technical reason. We simply cannot globally whitelist individual IP addresses, even if we wanted to. Trijnstel_talk 23:06, 9 November 2019 (UTC)[reply]

@Trijnstel: thank you for your answer. Can you help me understand how that is not technically possible? I suggested that you can unblock [IP1, IP2), (IP2, IP3] instead of the range [IP1,IP3]? Or what are alternatives if you could kindly suggest? Xinbenlv (talk) 02:54, 10 November 2019 (UTC)[reply]

@RonaldB: What can you tell me about the IP address 3.86.232.24? Currently the whole /16 IP range has been blocked and I don't think it's possible/desired to unblock a part of it, but perhaps you can advice? Trijnstel_talk 18:47, 10 November 2019 (UTC)[reply]

@RonaldB:, @Trijnstel:, @GZWDer:, @-revi:, thank you, do I understand it correctly that you are helping us to find the technical solutions because there is no other concerns in the policy aspects right? If there are policy concern, could we discuss policy concern in the meanwhile? Xinbenlv (talk) 00:41, 15 November 2019 (UTC)[reply]

@Trijnstel:, the range 3.0.0.0/9 (and that includes 3.86.232.24) belongs to Amazon AWS (not the shop, but the server hosting part of that corporation). That is a very large range and I'm pretty sure that there are thousands of much smaller ranges included, altogether used for cloud hosting/services. On nlwiki I don't block the whole /9, but when I notice abuse and suspect a VPN behind that, I block a /16 within that /9 range. Not sure, but something similar might have happened in this case as well. - Rgds RonaldB (talk) 00:50, 25 November 2019 (UTC)[reply]

Global IP block exempt for 荣智浩

<我是中国大陆用户，需要解锁全域IP>，谢谢, --荣智浩 (talk) 12:11, 14 November 2019 (UTC)[reply]

• @荣智浩:：请使用英文！并说明你需要使用Global IP Block Exemption的必要性。（Please use English! And explain the need for you to use Global IP Block Exemption.）--舞月書生（JoyeZhang）👉☎️👈 ♪My Heart Will Go On 16:17, 14 November 2019 (UTC)[reply]

你确认你遇到的是全域封禁吗？你在commoms上也遇到过这种现象吗？如果没有的话，我建议你在中文维基本地申请IP封禁豁免。另外你需要用英语解释你遇到的情况。—Techyan（Talk） 06:01, 15 November 2019 (UTC)[reply]

• @荣智浩:Are you sure your IP address have been global block? Maybe provide your IP address to confirm will be better. --Streetdeck （Talk） 09:38, 18 November 2019 (UTC)[reply]

Global IP block exempt for Horzagger

Hello, I am a nomad worker around the world and I very often connect on the Net with unsecured connections, then I prefer to use a VPN, and I use Tor in some regions of the world. I need to be allowed to connect with my VPN and with Tor on Wikipedia. (I have sign up on fr.wikipedia with my VPN, and I want to participate on several wikis of the Wikimedia Foundation). Thanks, --Horzagger (talk) 03:36, 5 December 2019 (UTC)[reply]

Global IP block exempt for Iphoneuser88

<I live in China. I can not edit many wikipedia because firewall>, thanks, --Iphoneuser88 (talk) 18:12, 6 December 2019 (UTC)[reply]

Done Ruslik (talk) 20:35, 8 December 2019 (UTC)[reply]

Global IP block exempt for Lab06 N

I am from mainland China and need to use a proxy, thanks. --Lab06 N (talk) 07:40, 8 December 2019 (UTC)[reply]

Global IP block exempt for Hindusanatandharma

I am new in here,I cant save or edit anything. Please dont what I was done any wrong. Please help me to edit. thanks, --Hindusanatandharma (talk) 14:09, 9 December 2019 (UTC)[reply]

Please be sure to follow the instructions below: Your request might be rejected if you don't follow the instructions. Testing this service may result in the loss of your access and is not recommended for inexperienced users. Instructions for making a request Before requesting 2FA tester global permissions, make sure that: You are logged in on this wiki; You have read the help page about two-factor authentication and understand how it could lead to irrecoverable loss of access to your account ; To request 2FA tester global permissions Copy the template below to the bottom of this section and INDICATE you have read the Help page. If the request page is currently protected, please file as an edit request on the talk page. === 2FA Tester for {{subst:u|{{subst:REVISIONUSER}}}} === {{sr-request |status = <!--don't change this line--> |domain = global <!--don't change this line--> |user name = {{subst:REVISIONUSER}} }} <Add an explanation here>, thanks, --~~~~ The request will be approved if there is no reason not to grant one. A steward will review the request.

2FA Tester for chitta

I have read the Help Page. Seeing increased password resets on my account.

Done Ruslik (talk) 20:35, 8 December 2019 (UTC)[reply]

2FA Tester for Atehrani999

Requested for added security, thanks, --Atehrani999 (talk) 21:23, 6 December 2019 (UTC)[reply]

@Atehrani999: Have you read the documentation? Ruslik (talk) 18:42, 7 December 2019 (UTC)[reply]

2FA Tester for Centrixx

Hello, I'm trying to enable 2FA wherever I can and have read the help page, thanks, --Centrixx (talk) 19:08, 8 December 2019 (UTC)[reply]

Done Ruslik (talk) 20:34, 8 December 2019 (UTC)[reply]

Please be sure to follow the instructions below: Your request might be rejected if you don't follow the instructions. Instructions for making a request Before requesting additional global permissions, make sure that: You are logged in on this wiki; No specific section on this page exists for the permission you want to request; To request additional global permissions Copy the template below to the bottom of this section and explain what kind of access you need and why. If needed, link to relevant discussions. If you hold, or have previously held, the right and are asking for either a renewal or revival of that right, please add a link to the previous discussion. === <Add requested permission here> for [[User:Foo|Foo]] === {{sr-request |status = <!--don't change this line--> |domain = global<!--don't change this line--> |user name = Username |discussion= }} <Add an explanation here>, thanks, --~~~~ The request will be approved if consensus to do so exists after a short period of consideration. A steward will review the request.

remove global OTRS member for Yann

Thanks, --Krd 17:05, 9 December 2019 (UTC)[reply]

• User groups — Information on user groups
• Global rights log — Log of global permissions changes
• Archives
  • 2024: 01, 02, 03, 04, 05