Page MenuHomePhabricator

Transcluding Special:RecentChanges doesn't respect the hidepatrolled parameter, because that leaks privileged information; consider reversing this
Closed, DeclinedPublic

Description

In my it:voy homepage https://it.wikivoyage.org/wiki/Utente:Andyrom75 there is a box (bottom left) where is supposed to show only the unpatrolled changes through {{Special:RecentChanges/days=90,limit=100,hidepatrolled}}, but it has stop working correctly since few weeks ago

Event Timeline

Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptJun 26 2016, 7:20 PM

This only works if you provide a value for the parameter, ie. hidepatrolled=1 or hidepatrolled=0.

@matej_suchanek in the last 2/3 years it has worked without specifying any value to the parameter hidepatrolled. By the way, I've tried as per your suggestion and it still doesn't work.

Any other idea?

On top on the previous messagge, I've tried to use that parameter on an URL and I can tell you that:

Any update on this regression?

I investigated this and it seems to be intentional:

includes/specialpage/ChangesListSpecialPage.php
// Make sure this is not being transcluded (we don't want to show this
// information to all users just because the user that saves the edit can
// patrol or is logged in)
if ( !$this->including() && $this->getUser()->useRCPatrol() ) {
  $this->registerFiltersFromDefinitions( $this->legacyReviewStatusFilterGroupDefinition );
  $this->registerFiltersFromDefinitions( $this->reviewStatusFilterGroupDefinition );
}

Thanks for your findinds, now my question is if it really make sense.
If there is no problem is term of security or performance I suppose that this block can be reverted.

D3r1ck01 renamed this task from In Special:Recentchanges the parameter hidepatrolled doesn't seem to work anymore to In Special:RecentChanges the parameter hidepatrolled doesn't seem to work anymore.Oct 5 2018, 7:46 PM
D3r1ck01 updated the task description. (Show Details)
matej_suchanek renamed this task from In Special:RecentChanges the parameter hidepatrolled doesn't seem to work anymore to In Special:RecentChanges the parameter hidepatrolled doesn't seem to work anymore when including it.Jan 26 2019, 5:32 PM
matej_suchanek removed a subscriber: matej_suchanek.
Restricted Application added a project: Growth-Team. · View Herald TranscriptJan 26 2019, 5:32 PM
Jdforrester-WMF renamed this task from In Special:RecentChanges the parameter hidepatrolled doesn't seem to work anymore when including it to Transcluding Special:RecentChanges doesn't respect the hidepatrolled parameter, because that leaks privileged information; consider reversing this.Jan 26 2019, 8:57 PM
Jdforrester-WMF closed this task as Declined.Jan 26 2019, 9:57 PM
Jdforrester-WMF added a subscriber: Jdforrester-WMF.

I've re-titled this to be explicit about the change.

The information about whether or not an edit is patrolled is privileged – it's not exactly secret, but it's intentionally not available to regular users as an anti-abuse measure.

Consequently, I'm going to Decline this. I appreciate that you valued this feature / security hole, but I think it was right to plug it and that we shouldn't revert.