Anyone with newsletter-create rights can edit a Newsletter namespace page (via api). While these changes aren't reflected in the relavent tables, they can make things inconsistent and confusing (e.g. Have the page display a different list of publishers than the actual list). Newsletter-manage permissions should apply to editing Newsletter pages via the api like it does during normal editing. The most obvious way to do this is with a getUserPermissionsErrors (or similar) hook. However, it may also be better to make the content handler page canonical and use it instead of the separate db tables where possible to eliminate the possibility of inconsistency in the system.
Description
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Sync DB tables manually on a newsletter edit over API | mediawiki/extensions/Newsletter | master | +277 -65 |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Duplicate | Qgil | T125545 Phabricator Q&A session for Community Liaisons | |||
Resolved | Qgil | T116025 Goal: Align Community Liaison and Developer Relations project management practices | |||
Resolved | Qgil | T119387 Community Liaison and Developer Relation quarterly goals for January - March 2016 | |||
Declined | None | T104131 Exporting existing newsletter to the Newsletter extension | |||
Resolved | Addshore | T110170 Goal: Deploy Newsletter extension in Wikimedia | |||
Duplicate | None | T115098 Deploy Newsletter extension in beta cluster | |||
Resolved | ori | T127297 Add the Newsletter extension to the Beta Cluster | |||
Resolved | Bawolff | T115095 Security review of Newsletter extension | |||
Resolved | 01tonythomas | T160854 Newsletter strange behaviour on an API create/edit |
Event Timeline
Can reproduce it following the procedure:
- User with newslettter-create and newsletter-manage right editing a Newsletter over API (using Sandbox API).
- The edited content is reflected on the Newsletter page, but not on the database.
Change 346055 had a related patch set uploaded (by 01tonythomas):
[mediawiki/extensions/Newsletter@master] Sync DB tables manually on a newsletter edit over API
If I understood correctly, this is the very last bug that needs to be fixed in order to pass T115095: Security review of Newsletter extension, right?
I see a lot of activity at https://gerrit.wikimedia.org/r/346055. Go @01tonythomas Go!
@Bawolff: Sorry for the delay, but I think https://gerrit.wikimedia.org/r/#/c/346055 should be a good to go as of now. Awaiting your review :)
Update from @Bawolff : The query in https://gerrit.wikimedia.org/r/#/c/346055/24/includes/content/NewsletterDataUpdate.php 44-50 needs to be fixed to make it better. Right now it just picks up everything from the db.
Change 346055 merged by jenkins-bot:
[mediawiki/extensions/Newsletter@master] Sync DB tables manually on a newsletter edit over API