Page MenuHomePhabricator

Non-interface administrators can't view source of user .js pages
Open, Needs TriagePublic


Just filing this as I don't think it was intended.

When viewing another user's .js page, when the "View source" tab is clicked, the following message is returned:

You do not have permission to edit this page, for the following reason: You do not have permission to edit this JavaScript page because it contains another user's personal settings.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 10 2018, 3:47 PM
Reedy added a subscriber: Tgr.

Works fine for me...

Hmm. Seems to be an issue with blank pages. I was checking to see if I could edit it for Amory, and it displayed the following message. URL is:

Yeah, blank/non-blank seems to be the issue; compare and — the message is correct, but loading the "unauthorized page" for a blank page (like with creating another user's js) rather than "view source" seems unintended.

Tgr added a comment.EditedOct 10 2018, 7:25 PM

There are two issues here (neither really specific to JS editing permissions):

  • Should action=edit show a readonly edit page for non-existing titles that the user has no rights to create? (Note that this is not the case currently, e.g. en:Add article?action=edit will give you a similar error. Note also that "non-existing" is somewhat vague; pages might not exist in the database but still handled somewhat as if they existed and had content, see e.g. en:MediaWiki:Timeless.js.)
  • Should the "view source" tab be shown at all if the page does not exist and the user has no right to create it? Protected titles like en:Add article do not have any view/edit options.

@TonyBallioni : Please include URLs in steps to reproduce, so someone else could try the very same test case. Thanks.