From T129738
CentralAuth global group rights aren't being limitted by $this->getRequest()->getSession()->getAllowedUserRights()
From T129738
CentralAuth global group rights aren't being limitted by $this->getRequest()->getSession()->getAllowedUserRights()
Status | Assigned | Task | ||
---|---|---|---|---|
Resolved | demon | T133070 MediaWiki 1.27.1 security release | ||
Resolved | • dpatrick | T139670 Central auth global groups don't take session rights limit into account |
There are two possible solutions here:
Both of these, code-wise, are simple. IMO, the first is probably the best. If some extension really needs the ability to override ->getAllowedUserRights(), we could always add a new hook specifically for that purpose that has the dangers clearly documented.
+1 to patch. I agree that first option is better.
Also, for when this is eventually public, I tried to make a phpunit test, but I had trouble getting it the existing test to run locally, so not really tested:
That patch won't actually test it, since the test doesn't call $user->getRights() anywhere.
The best place for the test is probably in UserTest.php.
The patch (
) applies to both master (1.28) and 1.27. Branches 1.23 and 1.26 are not affected since there was no SessionManager.Change 306132 had a related patch set uploaded (by Ejegg):
SECURITY: Move 'UserGetRights' call before application of Session::getAllowedUserRights()
Change 306132 merged by jenkins-bot:
SECURITY: Move 'UserGetRights' call before application of Session::getAllowedUserRights()
Change 306093 merged by jenkins-bot:
SECURITY: Move 'UserGetRights' call before application of Session::getAllowedUserRights()
Change 306103 merged by jenkins-bot:
SECURITY: Move 'UserGetRights' call before application of Session::getAllowedUserRights()