Page MenuHomePhabricator
Create Task
Maniphest T160783

The page language for user js/css sub pages can be modified without the edituserjs/css right
Closed, DuplicatePublic
Actions

Description

To reproduce:

  • Assign a group that does not thave the edituserjs, editusercss, or the editusercssjs right the pagelang right.
  • Change the page language for a CSS or js user subpage that does not belong to the current user. The action will succeed, even though the user had no right to modify the subpage in the first place.

Expectation:

  • An error such as displayed on Special:Editcontentmodel would appear.

Environment:

  • Vagrant 1.9.2 on Windows with MediaWiki 1.29-alpha (master, cloned today)

On investigation for another bug I noticed that Special:PageLanguage does not check if the user actually can modify the page language for the title, it just does so anyway. If I compare this to Special:Editcontentmodel, that special page actually checks if the user can change the content model for the page, which is why it displays an error.

I'm also wondering why the content language of a CSS/js user subpage can be changed, but that's not relevant to this bug.

Details

SubjectRepoBranchLines +/-
Perform a permission check on the title when changing the page languagemediawiki/coremaster+10 -0
Customize query in gerrit

Event Timeline

Mainframe98 created this task.Mar 17 2017, 7:37 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 17 2017, 7:37 PM
Mainframe98 updated the task description. (Show Details)Mar 17 2017, 7:55 PM
Mainframe98 updated the task description. (Show Details)Mar 17 2017, 7:58 PM
gerritbot subscribed.Mar 17 2017, 8:39 PM

Change 343333 had a related patch set uploaded (by Gerrit Patch Uploader; owner: Mainframe98):
[mediawiki/core] Perform a permission check on the title when changing the page language

https://gerrit.wikimedia.org/r/343333

gerritbot added a project: Patch-For-Review.Mar 17 2017, 8:39 PM
Mainframe98 closed this task as a duplicate of T74965: Special:PageLanguage permission checks: Allow pagelang changes when edit protected?.Mar 18 2017, 7:08 PM
gerritbot added a comment.Aug 14 2017, 4:48 PM

Change 343333 merged by jenkins-bot:
[mediawiki/core@master] Perform a permission check on the title when changing the page language

https://gerrit.wikimedia.org/r/343333

Mainframe98 removed a project: Patch-For-Review.May 22 2019, 9:35 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL