Page MenuHomePhabricator
Create Task
Maniphest T156789

Introduce and document a minimum rights hierarchy
Open, MediumPublic
Actions

Description

Problem

There seems to be an undocumented and inconsistent hierarchy of rights. For example, if I cannot view a page, I cannot edit it. But: if I can't edit, can I still move? In particular, the API has no concept of a hierarchy of rights. This leads to potential security issues in read protected MediaWikis.

Who would benefit

Extension developers and MediaWiki maintainers will have a more clear cut security model.

Proposed solution

We should add a minimum hierarchy in our rights, such as read > edit > other actions, similar to the way we have a hierarchy in the user groups: * > user > other groups. If one cannot read, they cannot do anything else. If one cannot edit, they cannot do any other modifications. I know this is too simplistic, so we need to sketch out a proper hierarchy. The hierarchy should also be documented.

Related Objects

Event Timeline

Mglaser created this task.Jan 31 2017, 11:02 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 31 2017, 11:02 AM
TTO subscribed.EditedJan 31 2017, 11:30 AM

Just to be clear, this task is asking both for code changes (adding a proper rights hierarchy as part of the user permissions system in MW core) and documentation (documenting this new hierarchy system on MW.org)? It's not 100% clear that code changes are being asked for here.

Anomie subscribed.Jan 31 2017, 3:26 PM

There isn't really a hierarchy in user groups either. It only seems that way because '*' means "everyone" and 'user' means "all logged-in users", so it's very hard to have a user in any other group without also being in those two.

If one cannot read, they cannot do anything else.

Looking at the action API in core, someone without the 'read' right can still potentially log in, log out, create accounts, fetch CSRF tokens, fetch RSD information, submit CSP reports, access the help, access paraminfo (which is basically machine-readable help), and query AuthManager information. Some of those require rights other than 'read', e.g. "create accounts" needs the ability to create accounts, and "log in" might need the ability to auto-create accounts.

RHeigl awarded a token.Jan 31 2017, 4:17 PM
srishakatux added projects: MediaWiki-General, MediaWiki-Documentation.Feb 3 2017, 12:04 AM
Restricted Application added a project: Documentation. · View Herald TranscriptFeb 3 2017, 12:04 AM
srishakatux moved this task from To Be Triaged to Backend on the Developer-Wishlist (2017) board.Feb 3 2017, 12:07 AM
srishakatux moved this task from Backend to Documentation on the Developer-Wishlist (2017) board.
srishakatux subscribed.Feb 3 2017, 11:34 PM

This project is selected for the Developer-Wishlist voting round and will be added to a MediaWiki page very soon. To the subscribers, or proposer of this task: please help modify the task description: add a brief summary (10-12 lines) of the problem that this proposal raises, topics discussed in the comments, and a proposed solution (if there is any yet). Remember to add a header with a title "Description," to your content. Please do so before February 5th, 12:00 pm UTC.

tom29739 subscribed.Feb 6 2017, 1:08 PM
Mglaser added a comment.Feb 7 2017, 2:13 PM

@TTO, yes I propose a code change as well as documentation. If you'd ask me for priorisation, I'd go for documentation first. I am pretty sure we will find peculiar dependencies during documentation, which I then propose to be fixed.
In addition, I propose to have a set of very basic rights which are the basis for other rights. Tuning such an extensive set of 80+ rights as we see it in MediaWiki is painful and failure prone. If, for example, I can rely on the fact that taking away read rights also completely takes away edit rights, or taking away the edit right would take away all modification rights, this would simplify the set up a lot, reduce accidential misconfigurations and make MediaWiki safer in the end.

Ricordisamoa subscribed.Feb 8 2017, 11:29 AM
MGChecker awarded a token.Aug 20 2017, 6:36 PM
MGChecker subscribed.
srodlund moved this task from Backlog to New Technical Documentation Request on the Documentation board.Aug 14 2018, 11:53 PM
Tgr subscribed.Apr 27 2019, 7:01 AM

Related: T156788: Improve support for read access restriction / access control

DannyS712 subscribed.Apr 27 2019, 7:11 AM
cicalese triaged this task as Medium priority.Jul 30 2019, 11:54 PM
cicalese moved this task from Needs Discussion to Needs Discussion on the MediaWiki-Stakeholders-Group board.
DannyS712 added a comment.EditedDec 27 2019, 11:36 PM

Some related notes regarding rights hierarchy:

[1] https://gerrit.wikimedia.org/g/mediawiki/core/+/0c37a0a94a929e9c3465f02b537a1852a0028c75/includes/MovePage.php#122
[2] https://gerrit.wikimedia.org/g/mediawiki/core/+/0c37a0a94a929e9c3465f02b537a1852a0028c75/includes/Permissions/PermissionManager.php#758

DannyS712 awarded a token.Dec 27 2019, 11:36 PM
DannyS712 mentioned this in T227399: [MW 1.31.3] User right issue: user "move", "createpage", "createtalk" rights appear NOT to require/depend any more on "edit" right (documentation states the opposite).Apr 1 2020, 7:54 PM
Enterprisey subscribed.Apr 20 2020, 8:01 AM
Akuckartz moved this task from Needs Discussion to Needs Discussion on the MediaWiki-Stakeholders-Group board.Jun 16 2020, 4:54 AM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL