https://bugzilla.wikimedia.org/show_bug.cgi?id=17116
Summary: userCan should not override wgGroupPermissions
Product: MediaWiki
Version: 1.13.3
Platform: All
OS/Version: All
Status: NEW
Keywords: need-review, patch
Severity: normal
Priority: Normal
Component: Page protection
AssignedTo: wikibugs-l@lists.wikimedia.org
ReportedBy: eisenst...@gmail.com
Created an attachment (id=5719)
--> (https://bugzilla.wikimedia.org/attachment.cgi?id=5719)
Patch to continue userCan chain through userCanRead function
When an extension uses the userCan hook, the code in Title.php treats the
result of the hook as the end of the line. This means that if any userCan
extension is in use, $wgGroupPermissions is ignored for read permissions.
To replicate this issue, put the following in LocalSettings.php:
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = true;
require_once("extensions/bugreport.php");
The bugreport.php file should simply be:
<?php
$wgHooks['userCan'][] = 'bugReportUserCan';
function bugReportUserCan( $title, $wgUser, $action, &$result ){
$result = true;
return true;
}
?>
Note that anonymous users now have full access to the wiki.
I have attached a patch for Title.php that I've tested in a few configurations
but I'm not completely confident in a change to such a critical component. This
change continues the userCan hook through the userCanRead() function so that if
the hook returns true (to continue), userCanRead() still has the opportunity to
override it based on the default security.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
