Page MenuHomePhabricator
Create Task
Maniphest T263920

The createaccount permission is not revoked properly when using extension registration
Open, Needs TriagePublic
Actions

Description

When using the latest version of ConfirmAccount and activating it via wfLoadExtension( 'ConfirmAccount' ) the createaccount permission for * is not revoked by default, allowing spammers to use the CreateAccount page.

image.png (284×820 px, 19 KB)

Event Timeline

IijimaYun created this task.Sep 26 2020, 7:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 26 2020, 7:00 PM
IijimaYun updated the task description. (Show Details)Sep 26 2020, 7:20 PM
Reedy added subscribers: Legoktm, Reedy.Sep 26 2020, 7:22 PM

CC @Legoktm

Seems to be an issue related to merging/overriding of config... This time with GroupPermissions

I guess this isn't a common case we see in extensions; them changing the default config of MW core extensions...

Reedy renamed this task from The createaccount permission is not revoked properly when using wfLoadExtension to The createaccount permission is not revoked properly when using extension registration.Sep 26 2020, 7:23 PM
Reedy added a project: MediaWiki-Configuration.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL