Enforce permission checks on Special:NewLexeme
Closed, ResolvedPublic3 Story Points

Description

Creating a Lexeme must only be possible by accounts with the "createpage" right.

Acceptance criteria

  • A user without the "createpage" right can not create a Lexeme

Scenarios

Scenario: Missing authorization NewLexeme page access

GIVEN I do not have the "createpage" right
WHEN I enter Special:NewLexeme
THEN I see a standard MediaWiki Permission Error

Technical notes:

  • Right checking is built into special pages and only requires you to pass the required right into the constructor of the special page. (src/Specials/SpecialNewLexeme.php)
WMDE-leszek triaged this task as Normal priority.
WMDE-leszek updated the task description. (Show Details)
Pablo-WMDE updated the task description. (Show Details)Mar 12 2018, 3:23 PM
Pablo-WMDE updated the task description. (Show Details)
Pablo-WMDE updated the task description. (Show Details)Mar 12 2018, 3:34 PM
Pablo-WMDE updated the task description. (Show Details)Mar 12 2018, 3:46 PM
Pablo-WMDE updated the task description. (Show Details)Mar 12 2018, 4:05 PM
Addshore added a subscriber: Addshore.EditedMar 13 2018, 10:14 AM

One area of this task that is still unclear is what is meant by "the right to create pages"

MediaWiki has a "createpage" right which can be found at https://www.mediawiki.org/wiki/Manual:User_rights#List_of_permissions
Wikibase also has a "property-create" right specifically for properties.
Items appear to use the mediawiki provided "createpage" right

@Lydia_Pintscher do we just want to check the standard "createpage" right or have our own right for creating lexemes?

Let's go with the standard createpage right as we do with items.

Addshore updated the task description. (Show Details)Mar 13 2018, 10:18 AM
WMDE-leszek set the point value for this task to 3.Mar 13 2018, 11:26 AM
Pablo-WMDE updated the task description. (Show Details)Mar 28 2018, 11:11 AM
Pablo-WMDE claimed this task.

Per https://www.mediawiki.org/wiki/Manual:User_rights#Creating_a_new_group_and_assigning_permissions_to_it ff. it is

  • only possible to change group definitions via configuration change, not via the API
  • the "(all)" group which by default is associated with the createpage right can not be removed from users
  • and individual permissions can not be removed from users

I conclude it is not feasible to write a browser test that asserts if a page is protected by a permission.

Pablo-WMDE removed Pablo-WMDE as the assignee of this task.
Pablo-WMDE added a subscriber: Pablo-WMDE.

Change 422931 merged by jenkins-bot:
[mediawiki/extensions/WikibaseLexeme@master] browser tests: use MWBot instead of nodemw

https://gerrit.wikimedia.org/r/422931

Change 423737 merged by jenkins-bot:
[mediawiki/extensions/WikibaseLexeme@master] Special:NewLexeme: Enforce user permission

https://gerrit.wikimedia.org/r/423737

Lydia_Pintscher closed this task as Resolved.Apr 19 2018, 8:02 AM
Lydia_Pintscher claimed this task.

Yay :)