r45225 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r45224‎ | r45225 | r45226 >
Date:16:06, 31 December 2008
Author:vasilievvv
Status:reverted (Comments)
Tags:
Comment:
Make access to Special:GlobalGroupPermissions and Special:GlobalGroupMembership a local permission.
Making it global is bad, since then anybody with it can change permissions on some wuuwiki, and nobody
will ever notice it.
Modified paths:
  • /trunk/extensions/CentralAuth/CentralAuth.php (modified) (history)
  • /trunk/extensions/CentralAuth/SpecialGlobalGroupMembership.php (modified) (history)
  • /trunk/extensions/CentralAuth/SpecialGlobalGroupPermissions.php (modified) (history)

Diff [purge]

Index: trunk/extensions/CentralAuth/SpecialGlobalGroupMembership.php
@@ -7,13 +7,9 @@
88 */
99
1010 class SpecialGlobalGroupMembership extends UserrightsPage {
11 - var $mGlobalUser;
1211 function SpecialGlobalGroupMembership() {
1312 SpecialPage::SpecialPage( 'GlobalGroupMembership' );
1413 wfLoadExtensionMessages('SpecialCentralAuth');
15 -
16 - global $wgUser;
17 - $this->mGlobalUser = CentralAuthUser::getInstance( $wgUser );
1814 }
1915
2016 /**
@@ -48,16 +44,10 @@
4945
5046 function changeableGroups() {
5147 global $wgUser;
52 -
53 - ## Should be a global user
54 - if (!$this->mGlobalUser->exists() || !$this->mGlobalUser->isAttached()) {
55 - return array();
56 - }
57 -
 48+
5849 $allGroups = CentralAuthUser::availableGlobalGroups();
59 -
60 - ## Permission MUST be gained from global rights.
61 - if ( $this->mGlobalUser->hasGlobalPermission( 'globalgroupmembership' ) ) {
 50+
 51+ if ( $wgUser->isAllowed( 'globalgroupmembership' ) ) {
6252 #specify addself and removeself as empty arrays -- bug 16098
6353 return array( 'add' => $allGroups, 'remove' => $allGroups, 'add-self' => array(), 'remove-self' => array() );
6454 } else {
Index: trunk/extensions/CentralAuth/SpecialGlobalGroupPermissions.php
@@ -31,16 +31,8 @@
3232 wfLoadExtensionMessages('SpecialCentralAuth');
3333 }
3434
35 - function userCanExecute($user) {
36 - $globalUser = CentralAuthUser::getInstance( $user );
37 -
38 - ## Should be a global user
39 - if (!$globalUser->exists() || !$globalUser->isAttached()) {
40 - return false;
41 - }
42 -
43 - ## Permission MUST be gained from global rights.
44 - return $globalUser->hasGlobalPermission( 'globalgrouppermissions' );
 35+ function userCanExecute( $user ) {
 36+ return $user->isAllowed( 'globalgrouppermissions' );
4537 }
4638
4739 function execute( $subpage ) {
Index: trunk/extensions/CentralAuth/CentralAuth.php
@@ -182,6 +182,8 @@
183183 $wgAvailableRights[] = 'globalgrouppermissions';
184184 $wgAvailableRights[] = 'globalgroupmembership';
185185 $wgGroupPermissions['steward']['centralauth-admin'] = true;
 186+$wgGroupPermissions['steward']['globalgrouppermissions'] = true;
 187+$wgGroupPermissions['steward']['globalgroupmembership'] = true;
186188 $wgGroupPermissions['*']['centralauth-merge'] = true;
187189
188190 $wgSpecialPages['CentralAuth'] = 'SpecialCentralAuth';

Follow-up revisions

RevisionCommit summaryAuthorDate
r45262Revert r45225 "Make access to Special:GlobalGroupPermissions and Special:Glob...brion22:42, 31 December 2008

Comments

#Comment by Brion VIBBER (talk | contribs)   22:42, 31 December 2008

Current code goes to some trouble to ensure that access to the global groups control *is* attached to the global auth & permissions. Probably not wise to just undo it without asking why first?

Reverted in r45262.

#Comment by Mike.lifeguard (talk | contribs)   06:10, 1 September 2009

There is an open bug (bug 17308) requesting this change - the same reasoning from vvv's commit message is used there as well. I'd recommend doing this. The "security issue" from allowing changes on some random wiki are greater than the "security issue" of allowing these changes to be made with a local rather than global right (which I guess is Andrew's reasoning, though he seems indifferent now).

Status & tagging log