Page MenuHomePhabricator
Create Task
Maniphest T240532

Privileged users see "view source" on cascade protected page
Closed, InvalidPublicBUG REPORT
Actions

Assigned To
None
Authored By
Keyacom
Dec 12 2019, 8:18 AM
Tags
Referenced Files
F31474900: Screen Shot 2019-12-13 at 17.44.17.png
Dec 13 2019, 4:53 PM
F31474898: Screen Shot 2019-12-13 at 17.44.09.png
Dec 13 2019, 4:53 PM
F31474194: Screen Shot 2019-12-13 at 1.06.01 AM.png
Dec 13 2019, 12:13 AM
F31473403: view_source.png
Dec 12 2019, 8:18 AM
Subscribers
Aklapper
Ammarpad
Keyacom
Lucas_Werkmeister_WMDE
Umherirrender

Description

  1. Go to any wiki that uses MediaWiki.
  2. Make sure you have the permission to protect pages (protect).
  3. Go to any page that has at least one page transcluded.
  4. Protect the page on sysop or autoconfirmed level with the "cascading" option turned on.
  5. Go to the transcluded page.

Actual result:
You will see "view source" instead of "edit" (in all skins).
Expected result:
You will see "edit". (This should apply to all users who have permission to edit the page).

WARNING: The text in the image is "view source" in the Polish locale.
view_source.png (63×235 px, 8 KB)

Related Objects

Event Timeline

Keyacom created this task.Dec 12 2019, 8:18 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 12 2019, 8:18 AM
Ammarpad renamed this task from Defect: "view source" with cascading protection to Privileged users see "view source" on cascade protected page.Dec 12 2019, 8:50 AM
Ammarpad changed the subtype of this task from "Task" to "Bug Report".
Aklapper edited projects, added MediaWiki-Page-protection; removed MediaWiki-General.Dec 12 2019, 12:47 PM
Umherirrender subscribed.Dec 12 2019, 9:02 PM

Are you sure the transcluded page itself is not protected? Are you sure you are not protected from editing or editing this partial page?

Cascade protection on plwiki:

https://pl.wikipedia.org/wiki/Specjalna:Zabezpieczone_strony?namespace=&type=edit&level=0&wpfilters%5B%5D=cascadeonly&size-mode=min&size=&uselang=en

When looking at transcluded pages of some of them I see the edit source link, but I have no idea where the orange icon from your image is coming from.

Ammarpad subscribed.Dec 13 2019, 12:13 AM

I cannot reproduce this. I am also interested in knowing where that colorful box comes from.

Screen Shot 2019-12-13 at 1.06.01 AM.png (471×1 px, 63 KB)

Aklapper changed the task status from Open to Stalled.Dec 13 2019, 4:23 AM
Keyacom added a comment.Dec 13 2019, 8:40 AM
In T240532#5738180, @Ammarpad wrote:

I cannot reproduce this. I am also interested in knowing where that colorful box comes from.

Screen Shot 2019-12-13 at 1.06.01 AM.png (471×1 px, 63 KB)

The screenshot is from the interface in the Oasis skin, used in FANDOM wikis.

Lucas_Werkmeister_WMDE subscribed.Dec 13 2019, 4:53 PM

I would also be very surprised by this bug, because I’ve seen the exact opposite effect – I see “Edit” rather than “View source” on the enwiki page Wikipedia:Selected anniversaries/December 14, even though I don’t actually have the right to edit it.

Screen Shot 2019-12-13 at 17.44.09.png (480×640 px, 109 KB) Screen Shot 2019-12-13 at 17.44.17.png (480×640 px, 90 KB)

As far as I understand, this is because MediaWiki’s “is probably editable” check (in PermissionManager terms, a “quick” rather than “full” or “secure” check), which among other things governs the “edit” / “view source” distinction, does not take cascade protection into account – it would be too expensive to do so on every page view.

Fandom uses a fork of a pretty old MediaWiki version (though they’re working on an upgrade), with hundreds of extensions. I suspect the bug is somewhere in there (who knows where exactly), not in current MediaWiki core.

Keyacom added a comment.Dec 14 2019, 9:01 AM
In T240532#5739729, @Lucas_Werkmeister_WMDE wrote:

Fandom uses a fork of a pretty old MediaWiki version (though they’re working on an upgrade), with hundreds of extensions. I suspect the bug is somewhere in there (who knows where exactly), not in current MediaWiki core.

Yes, FANDOM uses an old version of MediaWiki that still has no {{!}} magic word, and an upgrade would cause so much traffic.

On my wiki, the main page is protected with cascading protection:

PokéSpołeczeństwo Wiki (the main page, protected [edit=sysop, indefinite] [move=sysop, indefinite] [cascade]
This also protects the following pages:

Template:Strona główna
Template:Strona główna/domyślna
Template:Wiki kolor/ciemny+
Template:Wiki kolor/ciemny
Template:Wiki kolor/jasny
Template:Wiki kolor/jasny+
Template:Pluralform
Template:Promień ramki
Template:Nagłówek

Ammarpad added a comment.Dec 14 2019, 9:43 AM
In T240532#5739729, @Lucas_Werkmeister_WMDE wrote:

I would also be very surprised by this bug, because I’ve seen the exact opposite effect – I see “Edit” rather than “View source” on the enwiki page Wikipedia:Selected anniversaries/December 14, even though I don’t actually have the right to edit it.

Screen Shot 2019-12-13 at 17.44.09.png (480×640 px, 109 KB) Screen Shot 2019-12-13 at 17.44.17.png (480×640 px, 90 KB)

As far as I understand, this is because MediaWiki’s “is probably editable” check (in PermissionManager terms, a “quick” rather than “full” or “secure” check), which among other things governs the “edit” / “view source” distinction, does not take cascade protection into account – it would be too expensive to do so on every page view.

I believe I have seen this and later forgot where I saw it. It's a bug anyway, and should be fixed. Related: T219848

Ammarpad closed this task as Invalid.Dec 14 2019, 9:55 AM
In T240532#5741328, @Keyacom wrote:

On my wiki, the main page is protected with cascading protection:

PokéSpołeczeństwo Wiki (the main page, protected [edit=sysop, indefinite] [move=sysop, indefinite] [cascade]
This also protects the following pages:

Template:Strona główna
Template:Strona główna/domyślna
Template:Wiki kolor/ciemny+
Template:Wiki kolor/ciemny
Template:Wiki kolor/jasny
Template:Wiki kolor/jasny+
Template:Pluralform
Template:Promień ramki
Template:Nagłówek

The message is MediaWiki:Oasis-action-viewsource from Oasis skin. It is either being used wrongly in the code or mislabeled. It's also possible a MediaWiki bug was fixed at sometime since the version you're using is really old. Anyway, there's nothing to be done from MediaWiki side now. The actual bug (which seems to be the opposite of this one) is being tracked at T219848

Ammarpad mentioned this in T219848: Unprivileged users see "edit" on cascade protected page.Dec 14 2019, 10:05 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL