Page MenuHomePhabricator
Create Task
Maniphest T218674

User::getRights() applies session rights restrictions to non-session users
Open, MediumPublic
Actions

Description

The Session can filter the list of rights allowed to the session-user, which is used to implement grants in OAuth and BotPasswords.

But since all User objects fall back to $wgRequest, that means they all also fall back to the request Session and therefore the OAuth or BotPasswords rights restrictions apply to users it's not intended to.

Normally this probably makes little difference, since we seldom check the rights of users other than the session user. But it can be seen easily enough by using the Action API action=query&list=users&usprop=rights.

Ideally we'd only have User objects created by newFromSession() tied to the WebRequest, or at least to its Session. A potential complication is whether there's any code that loads the session-user via some method other than User::newFromSession() and checks that User object's rights.

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT180888 All permission checks should be able to return a custom error message
 OpenNoneT218674 User::getRights() applies session rights restrictions to non-session users
 OpenNoneT231930 Introduce Authority objects to represent the user performing a given action
 Resolved PcheloloT261963 Spike to explore Authority concept, implementation, and migration
 Resolved PcheloloT271458 RevisionRecord should use Authority for permission checks
 Resolved PcheloloT271300 Stop using the global service locator in RevisionRecord::userCanBitfield
 Resolved PcheloloT271459 User should implement Authority
 Resolved PcheloloT271460 Authority should be available via IContextSource
 ResolvedCCicalese_WMFT271462 Experiment with converting action API modules to Authority
 OpenNoneT271854 Convert Action API tests in core to use authority directly
 OpenNoneT271463 Refactor PermissionManager into Authority [hard]
 OpenNoneT261744 Introduce ThrottleStore
 OpenNoneT271464 Change the mechanism used to establish which permissions are exempt from user block
 DuplicateNoneT271465 Use Authority in EditPage
 OpenNoneT271466 Authority and JSON serialization
 Resolved PcheloloT271494 Expose information about user blocks via Authority and PermissionStatus
 ResolvedCCicalese_WMFT271504 PermissionsError should be instantiatable with PermissionStatus returned by Authority
 OpenNoneT271837 Convert PreferencesFactory to Authority [hard]
 OpenNoneT271975 Convert EditPage to Authority
 ResolvedNoneT271977 Convert EditConstraint system to use Authority
 ResolveddanielT272039 Convert BlockPermissionChecker and BlockPermissionCheckerFactory to use Authority
 OpenNoneT272519 Implement private wiki read permission in a way that works with Authority
 Resolved PcheloloT274947 Rename Authority::getActor to Authority::getPerformer
 Resolved PcheloloT275504 Convert MovePage to Authority
 ResolvedNoneT275507 Convert ChangeTags to Authority
 OpenNoneT275508 Convert ApiCheckCanExecute hook to Authority
 ResolvedCCicalese_WMFT275768 Mark Authority as stable
 OpendanielT310476 Add rate limiting to Authority

Event Timeline

Anomie created this task.Mar 19 2019, 1:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 19 2019, 1:56 PM
Anomie mentioned this in T218608: OAuth doesn't work when $wgBlockDisablesLogin is true.Mar 19 2019, 2:05 PM
Tgr added a subscriber: Tgr.Mar 19 2019, 4:49 PM

User::getBlockedStatus has some ugly checks to see whether the User object whose status has been queried is the same as the global user (to determine whether the IP from $wgRequest can be used to check for IP blocks).

Anomie added a comment.Mar 19 2019, 6:21 PM

Looks like that check was first added in rSVN56325, fixing a similar bug where it was using the request's IP when checking blocks for all User objects rather than only the session user. No indication as to whether they compared user names (versus mFrom === 'session' or the like) there for a specific reason or just because that seemed like the safest way to not maybe break something else.

Samwilson added a subscriber: Samwilson.Mar 22 2019, 8:11 AM
JJMC89 moved this task from Backlog to User rights on the MediaWiki-User-management board.Apr 14 2019, 3:56 AM
Tgr added a comment.Jul 14 2019, 3:45 PM

User::getRights() has been refactored into PermissionManager::getUserPermissions() which has a comment saying FIXME: $user->getRequest().. need to be replaced with something else. So presumably in the long term a different mechanism will be needed to signal whether the permission check should take session restrictions into account. Possibly T212639: Separate could do / can do / is doing permission checks in MediaWiki.

Tgr mentioned this in T212639: Separate could do / can do / is doing permission checks in MediaWiki.Jul 14 2019, 3:46 PM
Anomie added a comment.Jul 15 2019, 2:57 PM

I agree that building that distinction into the new PermissionManager's interface would be beneficial.

Tgr mentioned this in T227772: Fix or remove capability to override user rights for the current request.Jul 17 2019, 8:48 AM
Tgr added a comment.Jul 17 2019, 8:53 AM

Note that PermissionManager now has an internal cache so it's impossible for User objects representing the same User to have different rights, e.g. in case one is a session user and the other is used in some different context. (See T227772#5340242.) Although there's probably no real use case for that anyway.

Anomie added a comment.Jul 17 2019, 2:59 PM

Err, this task is the real use case for that. But as mentioned the use case here could be satisfied by more explicit requests for "rights for the user in this session" versus "rights for this user generically".

Tgr added a subtask: T231930: Introduce Authority objects to represent the user performing a given action.Sep 3 2019, 7:33 PM
Anomie mentioned this in T231930: Introduce Authority objects to represent the user performing a given action.Jan 3 2020, 8:24 PM
Anomie mentioned this in T249189: Duplicate queries on page views (SELECT actor_id,actor_user,actor_name FROM `actor` WHERE actor_name = 'Current_user').Apr 2 2020, 2:46 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:01 PM
Restricted Application added a project: Platform Engineering. · View Herald TranscriptOct 16 2020, 5:01 PM
AMooney removed a project: Platform Engineering.Oct 20 2020, 7:25 PM
daniel added a project: Platform Team Workboards (MW Expedition).Feb 22 2021, 8:09 PM
daniel added a subscriber: daniel.

Fixing this has become possible with the introduction of the Authority interface. It should actually be fixed automatically as part of T271463: Refactor PermissionManager into Authority [hard].

daniel added a subtask: T271463: Refactor PermissionManager into Authority [hard].Feb 22 2021, 8:09 PM
Pchelolo triaged this task as Medium priority.Feb 23 2021, 6:32 PM
Pchelolo moved this task from Unsorted pile to Authority pile on the Platform Team Workboards (MW Expedition) board.
daniel lowered the priority of this task from Medium to Low.Mar 9 2021, 6:26 PM
daniel raised the priority of this task from Low to Medium.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL