Page MenuHomePhabricator

$wgLogRestrictions leaking logs to recent changes
Closed, InvalidPublic

Description

Administrator does not want the newusers log to be public anymore,
so in LocalSettings.php Administrator sets $wgLogRestrictions['newusers']='editinterface';

This is successful,
http://radioscanningtw.jidanni.org/index.php?title=Special:Log/newusers&uselang=en
is no longer public.

However those entries are still there clear as day to the public in
http://radioscanningtw.jidanni.org/index.php?title=Special:RecentChanges&uselang=en
!!

In https://www.mediawiki.org/wiki/Manual:$wgLogRestrictions we read
"Restricted logs are not added to recent changes..." But this turns out to not be true anymore!

Even if this is just a caching issue, the Administrator has told the
user he protected that information, but that information is still leaking!

MediaWiki 1.26alpha (f37cee9)

Event Timeline

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".Jun 3 2015, 8:36 AM
Maniphest changed the edit policy from "All Users" to "Custom Policy".
Jidanni triaged this task as High priority.
Jidanni updated the task description. (Show Details)
Jidanni changed Security from None to Software security bug.
Jidanni updated the task description. (Show Details)
Jidanni edited subscribers, added: Jidanni; removed: Aklapper.

"Restricted logs are not added to recent changes..." But this turns out to not be true anymore!

Works as stated when I test it locally: restricted logs are not added to recent changes after adjusting the configuration.

Are the log entries you're seeing in recentchanges the ones that were added before you made the addition to $wgLogRestrictions?

Jidanni changed Security from Software security bug to None.
Krenair changed the task status from Resolved to Invalid.Jun 4 2015, 1:20 PM
Krenair claimed this task.
Krenair added a subscriber: Krenair.

This is invalid, not resolved.

Krenair changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 4 2015, 1:21 PM
Krenair changed the edit policy from "Custom Policy" to "All Users".