Page MenuHomePhabricator

Protection does not function on newsletters
Open, LowPublic

Description

If a newsletter is protected, and someone who has the ability to manage newsletters but cannot edit through the protection tries edit it, they can still make changes, which are then sumbitted without creating a new revision in the history.

Event Timeline

Pppery created this task.Jan 4 2017, 9:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 4 2017, 9:39 PM
QuimGil triaged this task as Low priority.Sep 7 2017, 7:47 PM
QuimGil moved this task from Backlog to Needs discussion on the MediaWiki-extensions-Newsletter board.
QuimGil added a subscriber: QuimGil.

I wonder whether this problem can still be reproduced.

About the use case itself, the basic way to protect a user from making changes to a newsletter is not to allow them to have the publisher role. Trying to protect a newsletter from their publishers seems a wrong approach by design.

Or am I misunderstanding something?

The solution in that case is to make it impossible to protect newsletters in the first place, whereas it currently is possible to protect them, without effect.

Change 371743 had a related patch set uploaded (by Pppery; owner: Brian Wolff):
[mediawiki/extensions/Newsletter@master] Fix error handling and abuse filter integration during edit

https://gerrit.wikimedia.org/r/371743