Page MenuHomePhabricator

Deleted pages in ns:0 cannot be protected on the Commons
Closed, DuplicatePublicSecurity

Description

If a gallery page (ns:0) on the Commons has been deleted sysops cannot protect them against recreation. Error page reads "Non-protectable page - This page cannot be protected as there are no restriction types available."

Event Timeline

Masumrezarock100 added a subscriber: Masumrezarock100.

Yes, I tried reproducing this on the beta cluster. Non-existent gallery pages (me=0) can not be protected there. I tested it with https://commons.wikimedia.beta.wmflabs.org/wiki/Delta?action=protect and https://commons.wikimedia.beta.wmflabs.org/wiki/Main?action=protect . I couldn't protect them from recreation. Also I tested it with https://commons.wikimedia.beta.wmflabs.org/wiki/D?action=protect which never existed before and I got the same response. Looks like a Regression to me.

@Achim55 A question: Is this your first time experiencing this bug?

Sending an API request using the ApiSandbox to protect the "Main" page from creation (API request URL with Token) returns the following response

{
    "protect": {
        "title": "Main",
        "reason": "Per [[phab:T238052]]",
        "protections": [
            {
                "create": "sysop",
                "expiry": "infinite"
            }
        ]
    }
}

But it doesn't protect the page at all. However sending an API request to protect a non mainspace page returns a similar response but the page gets protected.

@Masumrezarock100 Yes it is. But I remember another case regarding galleries some weeks ago: They could no longer be moved to a different ns. That had been fixed then.

There are two ways for an empty list. No protection types in $wgRestrictionTypes, but I cannot find that this differ from the default one.
Or the hook TitleGetRestrictionTypes which is used from Wikibase to disable protection for entity namespace. But the gallery is no entity namespace, so that seems not the problem.

I have no idea. It works in my developer wiki, so this must be a config issue.

Api shows also no restriction type: https://commons.wikimedia.org/w/api.php?action=query&titles=NonExists|Talk:NonExists&prop=info&inprop=protection

The last create protection in ns:0 I have found was from 28. Februrary 2019 - https://commons.wikimedia.org/wiki/Frany_Dejota?action=protect
Something must be changed after that. Maybe Wikibase was enabled for the mediainfo or the structed data was enabled.

The last create protection in ns:0 I have found was from 28. Februrary 2019 - https://commons.wikimedia.org/wiki/Frany_Dejota?action=protect
Something must be changed after that. Maybe Wikibase was enabled for the mediainfo or the structed data was enabled.

Not sure how Structured Data can cause such regression.

Urbanecm added a subscriber: Urbanecm.
[urbanecm@mwmaint1002 ~]$ mwscript shell.php commonswiki
Psy Shell v0.9.9 (PHP 7.2.22-1+0~20190902.26+debian9~1.gbpd64eb7+wmf1 — cli) by Justin Hileman
>>> use Wikibase\RepoHooks;
>>> $types = Title::getFilteredRestrictionTypes(false);
=> [
     0 => "create",
     3 => "upload",
   ]
>>> RepoHooks::onTitleGetRestrictionTypes(Title::newFromText("Nonexistent"), $types)
=> null
>>> $types
=> [
     3 => "upload",
   ]
>>> ^D
Exit:  Ctrl+D
[urbanecm@mwmaint1002 ~]$

Changing project tags appropriately.

Apparently, $namespaceLookup->isEntityNamespace( NS_MAIN ) is true.

Urbanecm set Security to Software security bug.Jul 18 2020, 9:38 PM
Urbanecm added projects: Security, Security-Team.
Urbanecm changed the visibility from "Public (No Login Required)" to "Custom Policy".
Urbanecm changed the subtype of this task from "Task" to "Security Issue".
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 24 2020, 7:08 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.