Page MenuHomePhabricator

Using $wgRevokePermissions doesn't revoke protection permissions when the 'editprotected' permission is assigned
Closed, ResolvedPublic

Description

Author: wwerawrko

Description:
If a user group is given the 'editprotected' right, and then a specific protection right is revoked, the revoking doesn't work.

For example:

$wgGroupPermissions['mygroup']['editprotected'] = true;
$wgRevokePermissions['mygroup']['mylevel'] = true;

I would expect that in this case, if a page was protected to the 'mylevel' level, then the 'mygroup' group would not be able to edit that page. The actual outcome is that revoking the 'mylevel' right has no affect.

In addition, if the 'mygroup' group also has the 'protect' permission, they can unprotect the page to a lower level.

For example:

$wgGroupPermissions['mygroup']['protect'] = true;
$wgGroupPermissions['mygroup']['editprotected'] = true;
$wgGroupPermissions['mygroup']['someotherlevel'] = true;
$wgRevokePermissions['mygroup']['mylevel'] = true;

I would expect that in this case, if a page was protected to the 'mylevel' level, then the 'mygroup' group would not be able to unprotect the page. The actual outcome is that they can unprotect it, and/or change the protection level to 'someotherlevel', which in my case is a lower level.


Version: unspecified
Severity: minor

Details

Reference
bz27152

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 21 2014, 11:13 PM
bzimport set Reference to bz27152.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Feb 4 2011, 6:35 AM

Thanks for reporting this. I can't help you at the moment, but I'll try to make sure someone who can has a look.

demon added a comment.Feb 4 2011, 6:43 PM

Adding CC of original author of the feature.

skizzerz wrote:

From my understanding, the purpose of the 'editprotected' permission is so that if you lack the permission to edit the page normally (in other words, you lack the permission that the page protection is set to), you would still be able to edit. Therefore, if my understanding is correct, then the correct behavior would be to allow editing any protected page no matter what permissions you have assigned or revoked.

If you remove the 'editprotected' permission from 'mygroup', then both of your cases should work as intended. If for some strange configuration reason you can't simply remove this permission, then please post exactly what sort of configuration you are trying to have so that I can either see why this bug needs to be "fixed" or if I can offer alternatives.

wwerawrko wrote:

(In reply to comment #3)

From my understanding, the purpose of the 'editprotected' permission is so that
if you lack the permission to edit the page normally (in other words, you lack
the permission that the page protection is set to), you would still be able to
edit. Therefore, if my understanding is correct, then the correct behavior
would be to allow editing any protected page no matter what permissions you
have assigned or revoked.
If you remove the 'editprotected' permission from 'mygroup', then both of your
cases should work as intended. If for some strange configuration reason you
can't simply remove this permission, then please post exactly what sort of
configuration you are trying to have so that I can either see why this bug
needs to be "fixed" or if I can offer alternatives.

Giving a specific permission to a group that also has the 'protect' right automatically gives them the ability to protect the page to that level, with no way of changing that. However, with 'editprotected', having the 'protect' right doesn't help unless you specifically have the right for one or more levels. What I was trying to do was give (in this example) 'mygroup' rights to edit all pages except 'mylevel', but only be able to 'protect' pages to 'someotherlevel'.

wwerawrko wrote:

Okay then, if this functionality isn't to be changed, what is the probability of having new functionality added for this? So that it's possible to give groups edit access to specific levels (but no protect/unprotect access), and edit access as well as protect/unprotect access to other levels.

Example code:

$wgGroupPermissions['mygroup']['mylevel'] = true Give edit access to 'mylevel' for 'mygroup', no protect/unprotect access
$wgGroupPermissions['mygroup']['anotherlevel-protect'] = true
Give edit access as well as protect/unprotect access to 'mylevel' for 'mygroup'

Using the example above, the 'protect' right could be preserved for giving protect/unprotect access to all levels that the user has edit access to (same as the current functionality), similar to how 'editprotected' is a special case. I'm sure there are also other ways that this could be implemented as well.

Change 71536 had a related patch set uploaded by Anomie:
Fix protection rights usage

https://gerrit.wikimedia.org/r/71536

Change 71536 merged by jenkins-bot:
Fix protection rights usage

https://gerrit.wikimedia.org/r/71536