[MW 1.31.3] User right issue: user "move", "createpage", "createtalk" rights appear NOT to require/depend any more on "edit" right (documentation states the opposite)
Closed, InvalidPublic
Actions

Assigned To

None

Authored By

	Wikinaut
	Jul 7 2019, 8:11 AM

Description

For a certain local reason, I had to remove users and user rights from a small 1.31 (now: 1.31.3) wiki.
Do so I just noticed an -me- alarming problem:

In short:
It looks to me, as if the "user" "edit" right is incorrectly treated in calculation of derived user rights like move, createpage, createtalk, and, may be other rights.

Referring to documentation: https://www.mediawiki.org/wiki/Manual:User_rights/en#List_of_permissions
Documentation says (specifically: "requires the edit right")

createpage 	Create pages (which are not discussion pages) - requires the edit right 	*, user 	1.6+
createtalk 	Create discussion pages - requires the edit right 	*, user 	1.6+
edit 	         Edit pages 	*, user 	1.5+
editsemiprotected 	Edit pages protected as "Nur automatisch bestätigten Benutzern erlauben" - without cascading protection 	autoconfirmed, bot, sysop 	1.22+
editprotected 	Edit pages protected as "Nur Administratoren erlauben" - without cascading protection 	sysop 	1.13+
minoredit 	Mark edits as minor 	user 	1.6+
move 	Move pages - requires the edit right 	user, sysop 	1.5+

My LocalSettings.php:

# Prevent new user registrations except by sysops
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createtalk'] = false;
# $wgGroupPermissions['user']['createtalk'] = false;
$wgGroupPermissions['user']['edit'] = false;
# $wgGroupPermissions['user']['move'] = false;
# $wgGroupPermissions['user']['createpage'] = false;

Alarming observation

With the above setting - with the comment lines -, the user rights "createpage", "move", "createtalk" are still set! as shown by in SpecialPage:ListGroupRights

I had to explictly reset the specific rights to remove them from being active and shown on that page.

Related Objects

Mentioned Here: T156789: Introduce and document a minimum rights hierarchy

Event Timeline

Wikinaut created this task.Jul 7 2019, 8:11 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 7 2019, 8:11 AM

Peachey88 added a project: MediaWiki-User-management.Jul 7 2019, 8:25 AM

Peachey88 moved this task from Backlog to User rights on the MediaWiki-User-management board.

Wikinaut updated the task description. (Show Details)Jul 7 2019, 9:00 AM

Reedy added projects: MediaWiki-Documentation, Documentation.Jul 7 2019, 10:01 AM

Reedy updated the task description. (Show Details)

With the above setting - with the comment lines -, the user rights "createpage", "move", "createtalk" are still set! as shown by in SpecialPage:ListGroupRights

For what groups?

They're defined in https://github.com/wikimedia/mediawiki/blob/REL1_31/includes/DefaultSettings.php#L5126-L5127 for user

@Reedy for "User" (as mentioned in the issue title).

Documentation says (specifically: "requires the edit right")

So please try this:

remove only the "User" "edit" right in LocalSetting.php.

You will notice, that the depending rights are not removed.

So, with the code you show

# $wgGroupPermissions['user']['createtalk'] = false;
$wgGroupPermissions['user']['edit'] = false;
# $wgGroupPermissions['user']['move'] = false;
# $wgGroupPermissions['user']['createpage'] = false;

Of course they're going to be still set, as they're in DefaultSettings set to true, and yours are commented out?

See above. Documentation says that for createpage, createtalk, move etc, EDIT right is required, too. Please test for yourself, pls. I am pretty sure, there is an overlooked bug in the user rights logic and documentation.

So if admin removes USER EDIT right in LocalSettings, all dependend rights should be unset as well.

Are you actually able to do those actions without the edit right? Or is it just how things appear on Special:ListGroupRights?

In T227399#5311399, @Wikinaut wrote:

So if admin removes USER EDIT right in LocalSettings, all dependend rights should be unset as well.

Did this actually happen before? Is it a regression?

Honestly, I have no hint, because in 2000ies, I always modified everything (including DefaultSettings), so I perhaps never noticed this "issue". In early 2010 I started to keep everything in LocalSettings and noticed the problem just right now.

And, @Reedy, it can be that the documentation is right, that for (actually, for example) "moving" a page the "edit" right is required, but finally (when a user without "edit" right tries to "move") this action is blocked. But if this is the case, the documentation should be corrected, and the SpecialPage should be reformulated, if it shows "move" right but if the action is finally blocked at the last stage in the code.
(I don't expect that the code is written in that way).

(I hope you understand what I mean).

In T227399#5311400, @Reedy wrote:

Are you actually able to do those actions without the edit right? Or is it just how things appear on Special:ListGroupRights?

I have not checked this (I mentioned later in https://phabricator.wikimedia.org/T227399#5311404 above).

Will check immediately and report back here. One moment pls

Dear @Reedy we both came to the same conclusion: the MediaWiki code stops in the last second, when actually trying to perform the action, the action is not performed, when "edit" right is missing on which the action depends.
So my observation appears to a mere cosmetic problem when the User rights are listed on the SpecialPage. My issue should be reformulated as a documentation and SpecialPage improvement. Let me know, if you want me to formulate a new bug - or if you prefer to take over (what I prefer).

Results of my test

$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createtalk'] = false;
$wgGroupPermissions['*']['upload'] = false;
$wgGroupPermissions['user']['upload'] = false;
#$wgGroupPermissions['user']['createtalk'] = false;
$wgGroupPermissions['user']['edit'] = false;
#$wgGroupPermissions['user']['move'] = false;
#$wgGroupPermissions['user']['createpage'] = false;

/Special:ListGroupRights:

Response when trying to create a page as a "User":

Test

There is currently no text in this page. You can search for this page title in other pages, or search the related logs, but you **do not have permission to create this page**.

I support removing requirement/dependence of "createpage", "createtalk" (and perhaps "move") rights on "edit" right, so in 1.34 a user should be able to create a page even they do not have permission to edit existing pages.

Xaosflux subscribed.Oct 16 2019, 3:24 AM

There is no clear request to be implemented or bug to be fixed. Special:ListGroupRights shows all rights assigned to a group, regardless of if a user can use them; by revoking edit rights, a user still has createpage, but is unable to use it. If you would like rights that cannot be used to not be listed, this should be a part of T156789: Introduce and document a minimum rights hierarchy

Vlad5250 unsubscribed.Aug 16 2022, 3:27 PM

	F29697639: grafik.png
	Jul 7 2019, 10:49 AM

	F29697646: grafik.png
	Jul 7 2019, 10:49 AM

[MW 1.31.3] User right issue: user "move", "createpage", "createtalk" rights appear NOT to require/depend any more on "edit" right (documentation states the opposite)Closed, InvalidPublicActions