Page MenuHomePhabricator

Autoconfirmed users with `newsletter-create` right can move newsletters
Closed, ResolvedPublic

Description

It is possible for a user who does not have the newsletter-manage right, but does have newsletter-create to move newsletters using Special:MovePage

Event Timeline

Pppery created this task.Dec 31 2016, 10:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 31 2016, 10:55 PM
Filip added a subscriber: Filip.Jan 3 2017, 4:53 PM

I am not sure if its a bug though. Admins might need a pagemove at times ? @Qgil need your inputs on this one!

and btw, the title says 'Autconfirmed' users. It should be 'Autoconfirmed users with newsletter-create right' ?

Qgil triaged this task as Low priority.Jan 7 2017, 10:41 AM

I am not sure whether this is a bug or unintended feature, but the end result doesn't seem to be problematic, at least in the short term and in the planned Wikimedia deployment.

It makes sense that whoever is trusted to create newsletters it is also trusted to manage them. However, this trust should be reflected explicitly in the permissions, and not be based on a inconsistency / accidental bug (which I don't know whether it is the case here).

Qgil renamed this task from Autoconfirmed users can move newsletters to Autoconfirmed users with `newsletter-manage` right can move newsletters.Jan 7 2017, 10:41 AM
Pppery renamed this task from Autoconfirmed users with `newsletter-manage` right can move newsletters to Autoconfirmed users with `newsletter-create` right can move newsletters.Jan 7 2017, 2:22 PM

You misunderstood, @Qgil. The bug here is that only the newsletter-create right, not the newsletter-manage right is required to move newsletters.

Qgil added a comment.Jan 7 2017, 2:58 PM

I made a mistake editing the title, but I think I got the idea right. In my opinion, this is the main principle:

It makes sense that whoever is trusted to create newsletters it is also trusted to manage them.

Pppery added a comment.Jan 7 2017, 3:02 PM

Yes, that makes sense, although this still seems somewhat like scope creep of the newsletter-create right.

I would close this as invalid as we are not allowing autoconfirmed users to get all these rights by default. But there is a possibility that we are not checking if the user have newsletter-manage on page move in Newsletter Namespace, and that is what @Pppery is tryng to say.

Filip added a comment.Jan 7 2017, 3:09 PM

@Pppery: @01tonythomas: Now newsletter-create is only sysop group.

Pppery added a comment.Jan 7 2017, 3:28 PM

That does not invalidate this bug, as the newsletter-create right should only allow one to create newsletters

That does not invalidate this bug, as the newsletter-create right should only allow one to create newsletters

I agree. Not important, not urgent, but still a bug. If someone wants to fix it, please, be my guest. :)

GCi task?

Pppery closed this task as Resolved.Feb 8 2017, 10:04 PM
Pppery claimed this task.

Fixed by patch to T154384

Pppery reassigned this task from Pppery to Filip.Feb 8 2017, 10:04 PM
Qgil awarded a token.Feb 15 2017, 3:06 PM