Page MenuHomePhabricator
Create Task
Maniphest T17472

Feed diff-content should be hidden for users without the "read" user right
Open, LowPublic
Actions

Description

Author: dieudonne

Description:
Until MediaWiki 1.11.2, when restricting access whith for example theses settings in LocalSettings.php :

$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgShowIPinHeader = false; # For non-logged in users
$wgWhitelistRead = array( "Accueil", "Special:Userlogin", "Special:Listusers", "Aide:Aide", );
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['createaccount'] = true;

it remained possible to have the full description of diffs within RSS feeds.

Since MW 1.12 and MW 1.13, only remains the title and the author of the change. The diffs aren't present any more in the RSS although the feed is allready protected (can't be read without being logged in).

How is it possible to have the diffs still present in RSS/Atom feeds when a wiki is read-protected ?

Feeds help saving lots of time even on protected wikis !

Version: 1.18.x
Severity: normal

Details

Reference
bz15472

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 10:20 PM
bzimport added a project: MediaWiki-Special-pages.
bzimport set Reference to bz15472.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Sep 4 2008, 12:01 PM
brion added a comment.Apr 17 2009, 10:08 PM

Still current, got a complaint on internal.wikimedia.org and confirmed.

Culprit seems to be a bogus permission check in FeedUtils::formatDiffRow():

		//NOTE: Check permissions for anonymous users, not current user.
		//      No "privileged" version should end up in the cache.
		//      Most feed readers will not log in anway.
		$anon = new User();
		$accErrors = $title->getUserPermissionsErrors( 'read', $anon, true );

On a fully-restricted site, anonymous viewers wouldn't be able to reach a feed at all, so this makes no sense -- you just end up with a feed that's just missing content for all the people who *can* read it.

This might make sense on a partially-restricted site, where the feed is accessible but some pages can't be read by anon visitors... in which case you'd still be exposing various edit information that you likely ought not to.

bzimport added a comment.Jan 10 2011, 9:17 PM

dieudonne wrote:

(In reply to comment #1)

Still current, got a complaint on internal.wikimedia.org and confirmed.

Culprit seems to be a bogus permission check in FeedUtils::formatDiffRow():

//NOTE: Check permissions for anonymous users, not current user.
//      No "privileged" version should end up in the cache.
//      Most feed readers will not log in anway.
$anon = new User();
$accErrors = $title->getUserPermissionsErrors( 'read', $anon, true );

On a fully-restricted site, anonymous viewers wouldn't be able to reach a feed
at all, so this makes no sense -- you just end up with a feed that's just
missing content for all the people who *can* read it.

This might make sense on a partially-restricted site, where the feed is
accessible but some pages can't be read by anon visitors... in which case you'd
still be exposing various edit information that you likely ought not to.

It's good to feel understood :-)

Any chance to see an evolution about that ?

Could an existing extension help turn around the problem ?

MarkAHershberger added a comment.Jan 22 2011, 2:35 AM

Brion,

Culprit seems to be a bogus permission check in FeedUtils::formatDiffRow():

Do you suppose you could check out removing the bogus permission check and see what happens?

bzimport added a comment.Apr 6 2011, 4:26 PM

dieudonne wrote:

Thank you Mark for your interest in this problem.

Does anyone have an idea of the evolution of this bug ?

MarkAHershberger added a comment.Apr 6 2011, 6:43 PM

(In reply to comment #4)

Does anyone have an idea of the evolution of this bug ?

I'll bring it up in our next bug triage.

Raymond added a comment.May 18 2011, 3:00 PM

Experimental extension checked in today: http://www.mediawiki.org/wiki/Extension:FeedsFromPrivateWikis

MarkAHershberger added a comment.Aug 4 2011, 12:17 AM

Not planning to solve this for 1.18

bzimport added a comment.Dec 22 2011, 8:42 AM

dieudonne wrote:

(In reply to comment #7)

Not planning to solve this for 1.18

Any chance it can be solved with 1.19 ?

Or does any one know how to make http://www.mediawiki.org/wiki/Extension:FeedsFromPrivateWikis compatible with 1.18 ?

MarkAHershberger added a comment.Dec 22 2011, 10:18 PM

(In reply to comment #8)

Or does any one know how to make
http://www.mediawiki.org/wiki/Extension:FeedsFromPrivateWikis compatible with
1.18 ?

I just tried it in 1.18 and didn't see any obvious problems. But I did not test thoroughly. What problems are you seeing?

bzimport added a comment.Dec 22 2011, 10:31 PM

dieudonne wrote:

(In reply to comment #9)

(In reply to comment #8)

Or does any one know how to make
http://www.mediawiki.org/wiki/Extension:FeedsFromPrivateWikis compatible with
1.18 ?

I just tried it in 1.18 and didn't see any obvious problems. But I did not
test thoroughly. What problems are you seeing?

Same problem as with the other Feed : it gives only the title of the modification, not it's content.

bzimport added a comment.Mar 7 2012, 8:16 PM

dieudonne wrote:

Did anybody try with MW 1.19 ?

DannyS712 subscribed.Jul 4 2020, 2:39 PM
Mike_Peel unsubscribed.May 2 2022, 9:06 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL