Page MenuHomePhabricator
Create Task
Maniphest T210453

DeleteBatch overwrites the global $wgUser context causing errors and session collisions.
Closed, ResolvedPublic
Actions

Description

When running a batch delete as the "Delete page script" user it overwrites the global $wgUser context. This causes all kinds of errors and pollutes user sessions. The changes fixes this to use the built in functionality to specify the deleting user. I did test for any potential security issues regarding this, but I was unable to create a situation in which two users doing the same action would get their sessions taken over. This also fixes the localized deletebatch-system-username not being used when creating the user.

https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/DeleteBatch/+/475839/

See the upper right of the screen shot where the logged in user's session was polluted and overwritten with the "Delete page script" user.

Zrzut+ekranu+(239).png (1×1 px, 160 KB)

Details

SubjectRepoBranchLines +/-
Do not override the global $wgUser. Just pass the deleting user to the doDeleteArticle() function. Actually use the system message username for user creation.mediawiki/extensions/DeleteBatchmaster+14 -31
Customize query in gerrit

Event Timeline

Alexia created this task.Nov 26 2018, 9:33 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 26 2018, 9:33 PM
Alexia added a comment.Nov 26 2018, 9:33 PM

The "MediaWiki-extensions-DeleteBatch" tag does not exist so I can not add it.

gerritbot subscribed.Nov 26 2018, 9:34 PM

Change 475839 had a related patch set uploaded (by Alexia; owner: Alexia):
[mediawiki/extensions/DeleteBatch@master] Do not override the global $wgUser. Just pass the deleting user to the doDeleteArticle() function. Actually use the system message username for user creation.

https://gerrit.wikimedia.org/r/475839

gerritbot added a project: Patch-For-Review.Nov 26 2018, 9:34 PM
Aklapper added a project: MediaWiki-extensions-Other.Nov 26 2018, 9:39 PM
Alexia added a subscriber: ashley.Nov 27 2018, 10:26 PM

@ashley: You might be interested in this one since you were working on it recently.

Alexia closed this task as Resolved.Nov 27 2018, 10:37 PM
gerritbot added a comment.Nov 27 2018, 10:38 PM

Change 475839 merged by jenkins-bot:
[mediawiki/extensions/DeleteBatch@master] Do not override the global $wgUser. Just pass the deleting user to the doDeleteArticle() function. Actually use the system message username for user creation.

https://gerrit.wikimedia.org/r/475839

Peachey88 edited projects, added MediaWiki-extensions-DeleteBatch; removed MediaWiki-extensions-Other, Patch-For-Review.Jan 17 2020, 11:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL