Sysops can undelete pages, although the page is protected against it
Closed, ResolvedPublic

Description

when a page is proteced at a level that a normal sysop can't override, he can recreate this page by undelete former revisions, see also the last to log entrys here: http://meta.wikimedia.beta.wmflabs.org/w/index.php?title=Special:Log&page=Superprotecttest, my normal account Luke081515 got rights to edit pages with superprotect, Luke081515.2 was a normal sysop, and can't edit pages with superprotect.

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".Aug 6 2015, 12:00 AM
Maniphest changed the edit policy from "All Users" to "Custom Policy".
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 6 2015, 12:00 AM
Luke081515 updated the task description. (Show Details)
Luke081515 changed Security from None to Software security bug.
Luke081515 edited subscribers, added: Luke081515; removed: Aklapper.

this removal happens automatically then you create a bug with "software security bug"

csteipp claimed this task.Aug 12 2015, 8:39 PM
csteipp added a project: Security-Team.
csteipp triaged this task as Normal priority.Sep 8 2015, 7:55 PM
csteipp added a subscriber: Anomie.

reproduction

  • delete existing page
  • add protection to title to allow only superprotect users to create the title
  • As a user who can undelete, but not superprotect, undelete the title
  • After restoration, the page is not limited to superprotect users, so anyone can edit

While testing this, I noticed that a non-superprotect user can update the protection for a deleted (or never created) + superprotected page also, so restoring a deleted revision isn't actually needed.

@Anomie, did superprotect intentionally not cover this case, or do protect and undelete need to check creation rights for that title?

While testing this, I noticed that a non-superprotect user can update the protection for a deleted (or never created) + superprotected page also, so restoring a deleted revision isn't actually needed.

Which is T108141

csteipp removed csteipp as the assignee of this task.Sep 8 2015, 7:57 PM
Bawolff added a subscriber: Bawolff.

Code-Review: +1 Looks sane, haven't tested.

Who could give these 25 lines (in includes/Title.php and includes/api/ApiUndelete.php) a final review / decision?

Reedy added a subscriber: Reedy.Mar 20 2017, 12:02 AM

Can we get this tested?

Reedy added a comment.Mar 21 2017, 9:49 PM

Seems there were a few changes that needed rebasing for...

Reedy assigned this task to Bawolff.Mar 31 2017, 12:17 AM
Reedy closed this task as Resolved.Apr 1 2017, 4:35 PM

Closing for ease of tracking progress. Patches attached to parent bug, due for next release

Can you take a look at T108141 as well, since it is related, and there is already a patch awaiting review?

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 6 2017, 8:57 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".

Change 346847 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: Do not allow users to undelete a page they can't edit or create

https://gerrit.wikimedia.org/r/346847

Change 346866 merged by jenkins-bot:
[mediawiki/core@REL1_28] SECURITY: Do not allow users to undelete a page they can't edit or create

https://gerrit.wikimedia.org/r/346866

Change 346856 merged by jenkins-bot:
[mediawiki/core@REL1_27] SECURITY: Do not allow users to undelete a page they can't edit or create

https://gerrit.wikimedia.org/r/346856