Page MenuHomePhabricator

It is possible to create a different user's subpage with a JavaScript or CSS content model, so only that user or a sysop can edit or revert
Closed, ResolvedPublic

Description

Scenario: User A creates User:B/foo with a content model of CSS. The page can now only be edited by User:B and people with the editusercss permission (sysops typically). We should not allow users to change the content model of a page if they will be unable to edit it afterwards.

Possible approaches:

  1. Make permission status separate from content model of a page (only protect if it ends in .css or .js, regardless of content model). Patch is https://gerrit.wikimedia.org/r/#/c/196982/ but @Jackmcbarn doesn't like that and proposed
  2. Check the permissions of the page with the new content model, and if the user can edit that, then allow them to make the change. We need to override Title::mContentModel to do this, which is a bit hacky, but works. I'll also submit a patch for this.

Event Timeline

Legoktm created this task.Sep 11 2016, 5:14 AM

Change 309815 had a related patch set uploaded (by Legoktm):
Ensure users are able to edit the page after changing the content model

https://gerrit.wikimedia.org/r/309815

Change 196982 had a related patch set uploaded (by Legoktm):
Don't check content model in Title::isCssSubpage() and Title::isJsSubpage()

https://gerrit.wikimedia.org/r/196982

JJMC89 added a subscriber: JJMC89.Sep 11 2016, 5:27 AM

Change 309815 merged by jenkins-bot:
Ensure users are able to edit the page after changing the content model

https://gerrit.wikimedia.org/r/309815

Legoktm closed this task as Resolved.Sep 23 2016, 6:16 AM
Legoktm claimed this task.

Change 196982 abandoned by Legoktm:
Don't check content model in Title::isCssSubpage() and Title::isJsSubpage()

Reason:
Other patch was merged.

https://gerrit.wikimedia.org/r/196982