Page MenuHomePhabricator
Create Task
Maniphest T265626

Protect API can allow (and display) an inaccurate move level alongside cascade protection
Open, Needs TriagePublic
Actions

Description

Protect's API is generous with errors when using the cascade option; as an example, supplying a non-sysop edit level with cascade will just drop the cascade option rather than return an error. Similarly, submitting edit=sysop and cascade=true will apply cascade protection, regardless of what move protection is also submitted. That's fine, and is in line with the above assumption, but the page protection log will then show that move level protection, even while the page is cascade protected. That is:

"action": "protect",
"protections": "edit=sysop|move=autoconfirmed",
"cascade": 1
}

Will generate a log entry reading:

[Edit=Allow only administrators] (indefinite) [Move=Allow only autoconfirmed users] (indefinite) [cascading]

I would not expect the average user seeing that to assume that an autoconfirmed user can not move that page (see also T27912) when the log entry explicitly says it allows autoconfirmed users to move a page. You can even appear to remove move protection.

In such cases, I would expect the API to either return an error or (more in line with the above two examples) silently convert the move level to sysop.

Related Objects

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL