Page MenuHomePhabricator

[Security] Fix inconsistent Newsletter user rights
Closed, ResolvedPublic

Description

Review of 631882e3779 of Newsletter extension (Jan 29, 2017)

Anyone with newsletter-create rights can edit a Newsletter namespace page (via api). While these changes aren't reflected in the relavent tables, they can make things inconsistent and confusing (e.g. Have the page display a different list of publishers than the actual list). Newsletter-manage permissions should apply to editing Newsletter pages via the api like it does during normal editing. The most obvious way to do this is with a getUserPermissionsErrors (or similar) hook. However, it may also be better to make the content handler page canonical and use it instead of the separate db tables where possible to eliminate the possibility of inconsistency in the system.

Event Timeline

Pppery closed this task as Resolved.Mar 15 2017, 1:38 AM
Pppery added a subscriber: Pppery.

This was already done as part of T154384.

Qgil awarded a token.Mar 15 2017, 5:38 PM