Page MenuHomePhabricator

Allusers query auprop=rights does not include global rights (and is possibly wrong in other ways)
Open, Needs TriagePublic

Description

I just noticed that https://en.wikipedia.org/w/api.php?action=query&list=allusers&aufrom=Krenair&auto=Krenair&auprop=rights does not include editinterface for example

var realRights, auRights;
mw.user.getRights().then(function (r) { realRights = r; });
new mw.Api().get({'action': 'query', 'list': 'allusers', 'aufrom': 'Krenair', 'auto': 'Krenair', 'auprop': 'rights'}).then(function (d) { auRights = d.query.allusers[0].rights; });
console.log(realRights.length, auRights.length);
56 43
realRights.filter(x => auRights.indexOf(x) < 0);
(13) ["editcontentmodel", "editeditorprotected", "editextendedsemiprotected", "editinterface", "editprotected", "editsitecss", "editsitejs", "editsitejson", "editusercss", "edituserjs", "oathauth-enable", "protect", "suppressredirect"]
auRights.filter(x => realRights.indexOf(x) < 0);
[]

<bawolff> it also presumably doesnt include other rights from hooks or revoked rights from session (botpassword etc)

Event Timeline

Krenair created this task.Oct 2 2018, 5:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 2 2018, 5:13 PM
Krenair updated the task description. (Show Details)Oct 2 2018, 5:14 PM
Krenair updated the task description. (Show Details)Oct 2 2018, 5:18 PM
Rxy moved this task from Incoming to Internal bugs on the MediaWiki-extensions-CentralAuth board.
Rxy added a subscriber: Rxy.

(Might be CentralAuth, might also be a missing Hooks::run call or something in core. I haven't dug into it yet.)

Rxy added a comment.Oct 2 2018, 7:04 PM

https://en.wikipedia.org/w/api.php?action=query&meta=userinfo&uiprop=blockinfo%7Cgroups%7Crights%7Chasmsg is included global permission.

CentralAuth uses "UserGetRights" hook for implement global user rights. https://phabricator.wikimedia.org/diffusion/ECAU/browse/master/includes/CentralAuthHooks.php$897-909

ApiQueryAllUsers.php is calling User::getGroupPermissions method. but I seems it is no hook in User::getGroupPermissions and that method is simply expand local group permissions.
https://phabricator.wikimedia.org/source/mediawiki/browse/master/includes/api/ApiQueryAllUsers.php$323-327
https://phabricator.wikimedia.org/source/mediawiki/browse/master/includes/user/User.php$4945-4964

Anomie moved this task from Unsorted to Needs Code on the MediaWiki-API board.Oct 2 2018, 8:04 PM
Anomie added a subscriber: Anomie.

What ApiQueryAllUsers currently returns is the list of rights given by the local groups the user belongs to. It doesn't run the hooks used by CentralAuth to give rights from global groups, and it doesn't run the hooks other extensions might use to try to remove rights. At the most simple level, the fix could be to just use User->getRights() instead.

I note rMWd05ddf6e0649: Make action=query&list=users use User::getRights() fixed a similar issue in ApiQueryUsers, and seems to generally have more database-friendly code. Ideally the two would be rewritten to share common code for everything except the bits building the WHERE and ORDER BY bits of the query and the related parameter definitions.