|Resolved||demon||T133070 MediaWiki 1.27.1 security release|
|Resolved||dpatrick||T139670 Central auth global groups don't take session rights limit into account|
There are two possible solutions here:
- Move the application of ->getAllowedUserRights() to after the hook. This prevents hook functions from overriding even if they want to.
- Have CentralAuth apply ->getAllowedUserRights() itself. This means every other extension that adds rights has to do the same thing.
Both of these, code-wise, are simple. IMO, the first is probably the best. If some extension really needs the ability to override ->getAllowedUserRights(), we could always add a new hook specifically for that purpose that has the dangers clearly documented.
That patch won't actually test it, since the test doesn't call $user->getRights() anywhere.
The best place for the test is probably in UserTest.php. 0001-SECURITY-Move-UserGetRights-call-before-application-.patch
The patch (0001-SECURITY-Move-UserGetRights-call-before-application-.patch) applies to both master (1.28) and 1.27. Branches 1.23 and 1.26 are not affected since there was no SessionManager.