Page MenuHomePhabricator
Create Task
Maniphest T182983

Consistently check permissions in API modules that modify entities
Closed, InvalidPublic
Actions

Description

As per T170673: Make ChangeOps define required permissions, ChangeOps expose the permissions (actions) they require, but we do not always check them.

In particular, Statement-related API modules like wbsetclaim, wbsetclaimvalue, wbsetqualifier, and wbsetreference do not check the actions declared by the respective ChangeOp. Only the generic checks for edit permissions are performed by EditEntity::checkEditPermissions().

Other API modules do this: ModifyEntity::checkPermissions covers the term-related API modules as well as wbsetsitelink and the generic wbeditentity API module.

Note that this is presently not a problem in practice, since we currently do not have special permissions defined for modifying Statements. But it's an inconsistency that may lead to nasty surprises down the road.

Details

SubjectRepoBranchLines +/-
Make wbsetclaim and friends check entity permissions.mediawiki/extensions/Wikibasemaster+129 -30
Customize query in gerrit

Related Objects

Event Timeline

daniel created this task.Dec 15 2017, 12:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 15 2017, 12:58 PM
thiemowmde triaged this task as Medium priority.Dec 15 2017, 2:37 PM
thiemowmde added a project: Technical-Debt.
thiemowmde moved this task from incoming to ready to go on the Wikidata board.
thiemowmde added subscribers: Lydia_Pintscher, thiemowmde.
gerritbot subscribed.Dec 15 2017, 2:37 PM

Change 397899 had a related patch set uploaded (by Thiemo Kreuz (WMDE); owner: Daniel Kinzler):
[mediawiki/extensions/Wikibase@master] Make wbsetclaim and friends check entity permissions.

https://gerrit.wikimedia.org/r/397899

gerritbot added a project: Patch-For-Review.Dec 15 2017, 2:37 PM
Addshore renamed this task from Consistently check permissions in API moduloes that modify entities to Consistently check permissions in API modules that modify entities.Jul 12 2018, 3:59 PM
Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:15 AM
Sjoerddebruin mentioned this in T210953: Wikidata is editable for blocked users.Dec 2 2018, 11:08 PM
Aklapper removed a project: Security-General.Dec 13 2019, 10:46 AM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
gerritbot added a comment.Jun 5 2020, 11:03 PM

Change 397899 abandoned by Addshore:
Make wbsetclaim and friends check entity permissions.

https://gerrit.wikimedia.org/r/397899

Maintenance_bot removed a project: Patch-For-Review.Jun 5 2020, 11:10 PM
Addshore added a project: [DEPRECATED] wdwb-tech.Sep 21 2021, 8:39 AM
Addshore closed this task as Invalid.Sep 21 2021, 8:52 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL