|mediawiki/core : master||SECURITY: Move 'UserGetRights' call before application of Session::getAllowedUserRights()|
|mediawiki/core : REL1_27||SECURITY: Move 'UserGetRights' call before application of Session::getAllowedUserRights()|
|mediawiki/core : fundraising/REL1_27||SECURITY: Move 'UserGetRights' call before application of Session::getAllowedUserRights()|
|Resolved||demon||T133070 MediaWiki 1.27.1 security release|
|Resolved||• dpatrick||T139670 Central auth global groups don't take session rights limit into account|
There are two possible solutions here:
- Move the application of ->getAllowedUserRights() to after the hook. This prevents hook functions from overriding even if they want to.
- Have CentralAuth apply ->getAllowedUserRights() itself. This means every other extension that adds rights has to do the same thing.
Both of these, code-wise, are simple. IMO, the first is probably the best. If some extension really needs the ability to override ->getAllowedUserRights(), we could always add a new hook specifically for that purpose that has the dangers clearly documented.
+1 to patch. I agree that first option is better.
Also, for when this is eventually public, I tried to make a phpunit test, but I had trouble getting it the existing test to run locally, so not really tested: