Page MenuHomePhabricator

Consistently check permissions in API modules that modify entities
Open, NormalPublic

Description

As per T170673: Make ChangeOps define required permissions, ChangeOps expose the permissions (actions) they require, but we do not always check them.

In particular, Statement-related API modules like wbsetclaim, wbsetclaimvalue, wbsetqualifier, and wbsetreference do not check the actions declared by the respective ChangeOp. Only the generic checks for edit permissions are performed by EditEntity::checkEditPermissions().

Other API modules do this: ModifyEntity::checkPermissions covers the term-related API modules as well as wbsetsitelink and the generic wbeditentity API module.

Note that this is presently not a problem in practice, since we currently do not have special permissions defined for modifying Statements. But it's an inconsistency that may lead to nasty surprises down the road.

Event Timeline

daniel created this task.Dec 15 2017, 12:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 15 2017, 12:58 PM
thiemowmde triaged this task as Normal priority.Dec 15 2017, 2:37 PM
thiemowmde added a project: Technical-Debt.
thiemowmde moved this task from incoming to ready to go on the Wikidata board.

Change 397899 had a related patch set uploaded (by Thiemo Kreuz (WMDE); owner: Daniel Kinzler):
[mediawiki/extensions/Wikibase@master] Make wbsetclaim and friends check entity permissions.

https://gerrit.wikimedia.org/r/397899

Addshore renamed this task from Consistently check permissions in API moduloes that modify entities to Consistently check permissions in API modules that modify entities.Jul 12 2018, 3:59 PM