r65818 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r65817‎ \| r65818 \| r65819 >
Date:	20:34, 2 May 2010
Author:	btongminh
Status:	resolved (Comments)
Tags:
Comment:	(bug 18408) All required permissions for uploading (upload, edit, create) are now checked when loading Special:Upload. Toolbar link for Special:Upload is no longer shown if the user does not have the required permissions. Found out that UploadBase::isAllowed is a totally inappropriate name for what it is returning. That should perhaps be changed before 1.16 is released.
Modified paths:	/trunk/phase3/RELEASE-NOTES (modified) (history) /trunk/phase3/includes/SkinTemplate.php (modified) (history) /trunk/phase3/includes/specials/SpecialUpload.php (modified) (history) /trunk/phase3/includes/upload/UploadBase.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/upload/UploadBase.php
—	—	@@ -78,13 +78,23 @@
79	79	}
80	80
81	81	/**
	82	+ * Returns an array of permissions that is required to upload a file
	83	+ *
	84	+ * @return array
	85	+ */
	86	+ public static function getRequiredPermissions() {
	87	+ return array( 'upload', 'create', 'edit' );
	88	+ }
	89	+ /**
82	90	* Returns true if the user can use this upload module or else a string
83	91	* identifying the missing permission.
84	92	* Can be overriden by subclasses.
85	93	*/
86	94	public static function isAllowed( $user ) {
87		~~- if( !$user->isAllowed( 'upload' ) ) {~~
88		~~- return 'upload';~~
	95	+ foreach ( self::getRequiredPermissions as $permission ) {
	96	+ if ( !$user->isAllowed( $permission ) ) {
	97	+ return $permission;
	98	+ }
89	99	}
90	100	return true;
91	101	}
Index: trunk/phase3/includes/SkinTemplate.php
—	—	@@ -877,7 +877,7 @@
878	878	$nav_urls['mainpage'] = array( 'href' => self::makeMainPageUrl() );
879	879	if( $wgUploadNavigationUrl ) {
880	880	$nav_urls['upload'] = array( 'href' => $wgUploadNavigationUrl );
881		~~- } elseif( $wgEnableUploads && $wgUser->isAllowed( 'upload' ) ) {~~
	881	+ } elseif( UploadBase::isEnabled() && UploadBase::isAllowed( $wgUser ) === true ) {
882	882	$nav_urls['upload'] = array( 'href' => self::makeSpecialUrl( 'Upload' ) );
883	883	} else {
884	884	$nav_urls['upload'] = false;
Index: trunk/phase3/includes/specials/SpecialUpload.php
—	—	@@ -130,13 +130,14 @@
131	131
132	132	# Check permissions
133	133	global $wgGroupPermissions;
134		~~- if( !$wgUser->isAllowed( 'upload' ) ) {~~
	134	+ $permissionRequired = UploadBase::isAllowed( $wgUser );
	135	+ if( $permissionRequired !== true ) {
135	136	if( !$wgUser->isLoggedIn() && ( $wgGroupPermissions['user']['upload']
136	137	\|\| $wgGroupPermissions['autoconfirmed']['upload'] ) ) {
137	138	// Custom message if logged-in users without any special rights can upload
138	139	$wgOut->showErrorPage( 'uploadnologin', 'uploadnologintext' );
139	140	} else {
140		~~- $wgOut->permissionRequired( 'upload' );~~
	141	+ $wgOut->permissionRequired( $permissionRequired );
141	142	}
142	143	return;
143	144	}
Index: trunk/phase3/RELEASE-NOTES
—	—	@@ -142,6 +142,9 @@
143	143	correct link
144	144	* (bug 23284) Times are now rounded correctly
145	145	* (bug 23375) Added ogv, oga, spx as extensions for ogg files
	146	+* (bug 18408) All required permissions for uploading (upload, edit, create)
	147	+ are now checked when loading Special:Upload. Toolbar link for Special:Upload
	148	+ is no longer shown if the user does not have the required permissions.
146	149
147	150	=== API changes in 1.17 ===
148	151	* (bug 22738) Allow filtering by action type on query=logevent

Follow-up revisions

Revision	Commit summary	Author	Date
r65821	Fix for r65818.	btongminh	20:53, 2 May 2010
r65898	Fix for r65818: the proper permission is 'createpage', not 'create'. Skip che...	btongminh	14:48, 4 May 2010
r79710	Fixup FIXME on r65818	reedy	03:27, 6 January 2011

Comments

#Comment by Platonides (talk | contribs) 21:24, 2 May 2010

I don't think create should always be required. The user could have the reupload right but not create.

#Comment by Bryan (talk | contribs) 07:57, 3 May 2010

True, create should then only be required for images that are new.

#Comment by Happy-melon (talk | contribs) 18:48, 17 December 2010

You're creating a static function to return a list of rights which are only accessed by one other function, and which (as or r65898) isn't even a complete list? That level of abstraction is not necessary; just put the array in the foreach in isAllowed().

#Comment by Happy-melon (talk | contribs) 12:42, 6 January 2011

Done in r79710.

#Comment by Reedy (talk | contribs) 21:20, 21 March 2011

See bug 28166

Status & tagging log

03:27, 6 January 2011 Reedy (talk | contribs) changed the status of r65818 [removed: fixme added: resolved]
18:48, 17 December 2010 Happy-melon (talk | contribs) changed the status of r65818 [removed: new added: fixme]