Page MenuHomePhabricator

Normal admin cannot delete site-wide javascript page
Closed, InvalidPublicBUG REPORT

Description

See report at https://simple.wikipedia.org/wiki/Wikipedia:Administrators%27_noticeboard#MediaWiki%3AGadget-newpagesbox.js - confirmed

As an admin (non interface admin)
When I go to https://simple.wikipedia.org/wiki/MediaWiki:Gadget-newpagesbox.js
I should see a delete option in the move menu

When I go to https://simple.wikipedia.org/wiki/MediaWiki:Gadget-newpagesbox.js?action=delete
I should be able to delete the gadget

Notes:
Also applies to attempting deletion via the api
Does not apply to deleting another user's javascript, only sitewide

Event Timeline

Restricted Application added a project: User-DannyS712. · View Herald TranscriptJun 25 2020, 8:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
DannyS712 triaged this task as High priority.Jun 25 2020, 8:46 PM
DannyS712 moved this task from Unsorted to Reports on the User-DannyS712 board.
DannyS712 moved this task from Backlog to User rights on the MediaWiki-User-management board.
DannyS712 updated the task description. (Show Details)Jun 25 2020, 8:58 PM

I’m not sure whether it’s not intentional—I’ve always found it strange that as a normal admin, I can delete a such page, but can’t see its deleted text, neither can I restore an accidentally deleted page.

I’m not sure whether it’s not intentional—I’ve always found it strange that as a normal admin, I can delete a such page, but can’t see its deleted text, neither can I restore an accidentally deleted page.

This is not intentional - see, eg, the documentation at https://en.wikipedia.org/wiki/Wikipedia:Interface_administrators#Technical_access - you should be able to delete it

@sbassett why is this not in the purview of the security team?

Hey @DannyS712 - The Security-Team is ostensibly interested in any security-related issue within the Wikimedia universe. But the way we are currently using our Phab team tag is primarily to triage incoming security tasks. While we'd love to work on all of these tasks, there is no feasible way we can do so given our current resources. So if we un-tag our team, it means there is very little probability we'd ever be able to directly work on the task. When a patch or solution does exist, we can of course be re-tagged (Incoming) for a quick review or security deployment.

eprodromou lowered the priority of this task from High to Medium.Jul 7 2020, 9:02 PM
eprodromou changed the subtype of this task from "Security Issue" to "Task".
eprodromou added a subscriber: eprodromou.

OK. I don't think this issue meets the requirements for being a security issue, since an interface admin can actually delete it, even though it's an "authorisation" issue. We'll take a look, but happy to see patches come in.

If it’s not a security issue, can you make it public? Even though it’s a “Task”-type task now, it still has a custom visibility policy hiding it from the public. (I don’t see how to change it, probably because I’m not allowed to do so.)

DannyS712 changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 8 2020, 2:53 AM
DannyS712 changed the edit policy from "Custom Policy" to "All Users".
DannyS712 changed the subtype of this task from "Task" to "Bug Report".
Ammarpad closed this task as Invalid.Jul 20 2020, 8:24 AM
Ammarpad added a subscriber: Ammarpad.

This is not a bug.

As an admin (non interface admin)
When I go to https://simple.wikipedia.org/wiki/MediaWiki:Gadget-newpagesbox.js
I should see a delete option in the move menu

"delete option" is shown if the user can actually delete the page (not based on mere presence of 'delete' permission in their usergroups' rights).

When I go to https://simple.wikipedia.org/wiki/MediaWiki:Gadget-newpagesbox.js?action=delete
I should be able to delete the gadget

That's not possible without editsitejs permission.

Editing/creating that page requires editsitejs permission which admins of simplewiki don't have. The page was later seamlessly deleted by another admin after they were temporarily given interface admin rights (which does include editsitejs).

This is not intentional - see, eg, the documentation at https://en.wikipedia.org/wiki/Wikipedia:Interface_administrators#Technical_access

That documentation is incorrect. Deleting siteconfig page requires corresponding editsite-* permission always (in addition to delete, of course). The claim was introduced in this edit. Either the writer did not understand the intricacies involved or probably they were mislead by what their account can do (since they have interface-admin rights on the wiki).

Notes:
Also applies to attempting deletion via the api

That shows things are working. You cannot delete it via any means without the required permissions.

Does not apply to deleting another user's javascript, only sitewide

That's intentional too. Normally modifying userconfig pages requires, in addition to other relevant checks, relevant edituser-* permission. The edituser-* part is however waivered for delete, revisiondelete and suppress requests. This is a hack to deal with another issue.

I’m not sure whether it’s not intentional—I’ve always found it strange that as a normal admin, I can delete a such page, but can’t see its deleted text,

Probably what you deleted was 'userconfig' page. You cannot delete siteconfig page without editsite-* permission. If you believe you did that or saw where it was done (without being interface admin/having the relevant editsite-* permission ), please provide a link to the deletion log, that might be a bug.

I’m not sure whether it’s not intentional—I’ve always found it strange that as a normal admin, I can delete a such page, but can’t see its deleted text,

Probably what you deleted was 'userconfig' page. You cannot delete siteconfig page without editsite-* permission. If you believe you did that or saw where it was done (without being interface admin/having the relevant editsite-* permission ), please provide a link to the deletion log, that might be a bug.

Yeah, probably that was the case. I still find it strange, though, that I can delete something, but I can’t view it from that point (so e.g. I can’t email it to the user whose page I accidentally deleted to let them restore it).

DannyS712 reopened this task as Open.Jul 20 2020, 9:41 AM

This is not a bug.

When I go to https://simple.wikipedia.org/wiki/MediaWiki:Gadget-newpagesbox.js?action=delete
I should be able to delete the gadget

That's not possible without editsitejs permission.

From what I recall this was possible previously (deleting without being able to edit the site js pages). If not, it should be, for the same reason the exclusions were added to allow deletion of user js when normal admins couldn't edit them. If its not a bug then its a feature request, not invalid.

Ammarpad closed this task as Invalid.EditedJul 20 2020, 9:51 AM

This bug report is invalid. The code is working as intended. If you want request something open a new task and explain that there.

The hack was intentionally not added for siteconfig pages because the rationale for adding it to userconfig pages T200176 does not apply there.

This is not a bug.

When I go to https://simple.wikipedia.org/wiki/MediaWiki:Gadget-newpagesbox.js?action=delete
I should be able to delete the gadget

That's not possible without editsitejs permission.

From what I recall this was possible previously (deleting without being able to edit the site js pages). If not, it should be, for the same reason the exclusions were added to allow deletion of user js when normal admins couldn't edit them. If its not a bug then its a feature request, not invalid.

It was never possible (after creation of interface admin). You're probably recollecting wrong. Otherwise provide a link to where such deletions happened.

Ammarpad added a comment.EditedJul 20 2020, 10:00 AM

I have clarified the incorrect documentation that led to this confusion. The transcluded table chart may also need to be updated.

Ammarpad added a subscriber: Tgr.Jul 20 2020, 10:04 AM
DannyS712 removed a project: User-DannyS712.

This bug report is invalid. The code is working as intended, you should get that. If you want request something open a new task and explain that there.

The hack was intentionally not added for siteconfig pages because the rationale for adding it to userconfig pages T200176 does not apply there.

Not sure why a different task is needed, rather than just changing the subtype of this to a feature request, but fine. See T258383: Allow Administrators to delete site-wide script pages

Ammarpad added a comment.EditedJul 22 2020, 6:22 AM

Not sure why a different task is needed, rather than just changing the subtype of this to a feature request

It's important to keep it in case of similar future misunderstanding. Changing the scope completely will obscure the discussion and makes it harder to differentiate valid bug reports and invalid ones (like this task).

Ammarpad removed a subscriber: Ammarpad.Jul 22 2020, 6:23 AM