r85005 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r85004‎ \| r85005 \| r85006 >
Date:	12:53, 30 March 2011
Author:	happy-melon
Status:	ok (Comments)
Tags:
Comment:	(bug 15641) tweak Title::checkUserBlock() so that Title::getUserPermissionsErrors() more comprehensively prevents blocked users from performing various actions; particularly prevents blocked admins from protecting or deleting their own talk page.
Modified paths:	/trunk/phase3/RELEASE-NOTES (modified) (history) /trunk/phase3/includes/Title.php (modified) (history) /trunk/phase3/includes/specials/SpecialImport.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/Title.php
—	—	@@ -1541,8 +1541,14 @@
1542	1542	$errors[] = array( 'confirmedittext' );
1543	1543	}
1544	1544
1545		~~- // Edit blocks should not affect reading. Account creation blocks handled at userlogin.~~
1546		~~- if ( $action != 'read' && $action != 'createaccount' && $user->isBlockedFrom( $this ) ) {~~
	1545	+ if ( in_array( $action, array( 'read', 'createaccount', 'unblock' ) ) ){
	1546	+ // Edit blocks should not affect reading.
	1547	+ // Account creation blocks handled at userlogin.
	1548	+ // Unblocking handled in SpecialUnblock
	1549	+ } elseif( ( $action == 'edit' \|\| $action == 'create' ) && !$user->isBlockedFrom( $this ) ){
	1550	+ // Don't block the user from editing their own talk page unless they've been
	1551	+ // explicitly blocked from that too.
	1552	+ } elseif( $user->isBlocked() && $user->mBlock->prevents( $action ) !== false ) {
1547	1553	$block = $user->mBlock;
1548	1554
1549	1555	// This is from OutputPage::blockedPage
Index: trunk/phase3/includes/specials/SpecialImport.php
—	—	@@ -52,7 +52,7 @@
53	53	* Execute
54	54	*/
55	55	function execute( $par ) {
56		~~- global $wgRequest;~~
	56	+ global $wgRequest, $wgUser, $wgOut;
57	57
58	58	$this->setHeaders();
59	59	$this->outputHeader();
—	—	@@ -63,6 +63,22 @@
64	64	return;
65	65	}
66	66
	67	+ if( !$wgUser->isAllowedAny( 'import', 'importupload' ) ) {
	68	+ return $wgOut->permissionRequired( 'import' );
	69	+ }
	70	+
	71	+ # TODO: allow Title::getUserPermissionsErrors() to take an array
	72	+ # FIXME: Title::checkSpecialsAndNSPermissions() has a very wierd expectation of what
	73	+ # getUserPermissionsErrors() might actually be used for, hence the 'ns-specialprotected'
	74	+ $errors = wfMergeErrorArrays(
	75	+ $this->getTitle()->getUserPermissionsErrors( 'import', $wgUser, true, array( 'ns-specialprotected' ) ),
	76	+ $this->getTitle()->getUserPermissionsErrors( 'importupload', $wgUser, true, array( 'ns-specialprotected' ) )
	77	+ );
	78	+ if( $errors ){
	79	+ $wgOut->showPermissionsErrorPage( $errors );
	80	+ return;
	81	+ }
	82	+
67	83	if ( $wgRequest->wasPosted() && $wgRequest->getVal( 'action' ) == 'submit' ) {
68	84	$this->doImport();
69	85	}
—	—	@@ -145,9 +161,6 @@
146	162
147	163	private function showForm() {
148	164	global $wgUser, $wgOut, $wgImportSources, $wgExportMaxLinkDepth;
149		~~- if( !$wgUser->isAllowedAny( 'import', 'importupload' ) ) {~~
150		~~- return $wgOut->permissionRequired( 'import' );~~
151		~~- }~~
152	165
153	166	$action = $this->getTitle()->getLocalUrl( array( 'action' => 'submit' ) );
154	167
Index: trunk/phase3/RELEASE-NOTES
—	—	@@ -205,6 +205,9 @@
206	206	since length can vary by localization.
207	207	* (bug 28242) Make redirects generated by urls containing a local interwiki
208	208	prefix be a 301 instead of a 302.
	209	+* (bug 15641) blocked administrators are now prevented from deleting or protecting
	210	+ their own talk page; and all blocked users are more comprehensively prevented
	211	+ from performing other actions
209	212
210	213	=== API changes in 1.18 ===
211	214	* (bug 26339) Throw warning when truncating an overlarge API result

Follow-up revisions

Revision	Commit summary	Author	Date
r85006	Additional release notes for r85005, which I meant to commit as two separate ...	happy-melon	12:58, 30 March 2011
r85075	MFT r85005 & r85006...	platonides	18:06, 31 March 2011
r85076	Merge r85075 from 1.17 branch (r85005 on trunk).	platonides	18:22, 31 March 2011
r85099	Fix for r85005: the getUserPermissionsErrors() calls were each returning a ba...	happy-melon	23:09, 31 March 2011
r93246	(bug 15641) prevent blocked administrators from accessing deleted revisions.	happy-melon	20:54, 26 July 2011

Comments

#Comment by Happy-melon (talk | contribs) 13:20, 30 March 2011

The previous behaviour in SpecialImport allows users without the 'import' permission to submit a direct POST form and bypass all permissions checks. It also allowed blocked admins to continue to use the form entirely regardless, but that's a much lesser problem. The form is protected by an edit token, but it's the user's own token and is unsalted, so they can easily get a copy of it from anywhere else they are allowed to see a form (eg any HTMLForm).

It's not necessary to backport the changes to Title.php to fix this, only the changes to SpecialImport.php and the release notes from r85006. I tried to do them as two separate commits, but failed miserably... :D

#Comment by Platonides (talk | contribs) 18:07, 31 March 2011

Seems worth backporting to 1.16, too. Time for a new 1.16.x?

The bug affects only to transwikifying from wikis which are already configured as import sources, not to importupload.

The specials/SpecialImport.php fix is not backwards compatible. $wgUser->isAllowedAny is only available in trunk. Fixed in the merge r85075.

Status & tagging log

19:15, 31 March 2011 Platonides (talk | contribs) changed the tags for r85005 [removed: 1.17wmf1]
18:24, 31 March 2011 😂 (talk | contribs) changed the tags for r85005 [removed: 1.17]
18:07, 31 March 2011 Platonides (talk | contribs) changed the status of r85005 [removed: new added: ok]
13:20, 30 March 2011 Happy-melon (talk | contribs) changed the tags for r85005 [added: 1.17,1.17wmf1]