https://bugzilla.wikimedia.org/show_bug.cgi?id=17116
Summary: userCan should not override wgGroupPermissions Product: MediaWiki Version: 1.13.3 Platform: All OS/Version: All Status: NEW Keywords: need-review, patch Severity: normal Priority: Normal Component: Page protection AssignedTo: wikibugs-l@lists.wikimedia.org ReportedBy: eisenst...@gmail.com Created an attachment (id=5719) --> (https://bugzilla.wikimedia.org/attachment.cgi?id=5719) Patch to continue userCan chain through userCanRead function When an extension uses the userCan hook, the code in Title.php treats the result of the hook as the end of the line. This means that if any userCan extension is in use, $wgGroupPermissions is ignored for read permissions. To replicate this issue, put the following in LocalSettings.php: $wgGroupPermissions['*']['read'] = false; $wgGroupPermissions['user']['read'] = true; require_once("extensions/bugreport.php"); The bugreport.php file should simply be: <?php $wgHooks['userCan'][] = 'bugReportUserCan'; function bugReportUserCan( $title, $wgUser, $action, &$result ){ $result = true; return true; } ?> Note that anonymous users now have full access to the wiki. I have attached a patch for Title.php that I've tested in a few configurations but I'm not completely confident in a change to such a critical component. This change continues the userCan hook through the userCanRead() function so that if the hook returns true (to continue), userCanRead() still has the opportunity to override it based on the default security. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l