Page MenuHomePhabricator
Create Task
Maniphest T297949

Can't render page listed in $wgWhitelistReadRegexp
Open, Needs TriagePublicBUG REPORT
Actions

Description

The following lines are defined in LocalSettings.php

  • $wgGroupPermissions['*']['read'] = false;
  • $wgWhitelistReadRegexp = [ '/^Public:/' ];

What happens?:

The public page can be read without login, however, with render action the LoginRequired page is the response.

What should have happened instead?:

The rendered response is part of the full read view (the content div).
If a configuration allow read then the same configuration should allow render as well.

Version:
Installed software
Product Version
MediaWiki 1.37.1
PHP 7.4.23 (litespeed)
MySQL 5.7.35-cll-lve
ICU 63.1

Related Objects

Event Timeline

Kdanni created this task.Dec 17 2021, 1:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 17 2021, 1:56 PM
Legoktm changed the task status from Open to Stalled.Dec 17 2021, 9:24 PM
Legoktm subscribed.

@Kdanni can you explain your use case? I note that the Action API has the same issue, action=parse explicitly requires the 'read' user-right. But I think it's intentional as a security defense mechanism, and given recent events I would expect significant opposition to changing that...

Kdanni added a comment.Dec 19 2021, 8:45 AM

Use Case: My main use for a wiki installation is a browser agnostic bookmark solution.

I have pages with links.
Trivial links are on public pages. I has access to them in any new browser profile or on shared machine.
Critical links (access token in the link and similar urls) are on private pages.

Some of the rendered public pages with the links was injected into the header of my other system as a navigation bar. And after the upgrade the login require pages appeared there.

I have panicked when i saw the login pages injected to my other system. Maybe I was fast fingered with my report.
I found a work around. I managed query the content div in the dom three of the full page. So accessing the rendered page would be a quality of life thing for me now.

I still think the a page should be read access without the site only with the rendered content. (If there is a workaround without the action api then sorry for your time.)

Thanks

BilalShirwani closed this task as a duplicate of T298058: [Impact Analysis] Evaluate Impact of Mobile Reply and New Discussion Tools.Dec 20 2021, 11:57 PM
JJMC89 reopened this task as Open.Dec 21 2021, 12:13 AM
Viktor838 subscribed.Sep 20 2022, 11:00 AM

Similar problem.
The defined variable $wgWhitelistReadRegexp[] = '/^Public:/'; (within LocalSettings.php) works fine when pages are requested with the single URL parameter "title=...".
What happens?:
If the additional URL parameter "action=raw" is used, there is no access to the pages defined by $wgWhitelistReadRegexp.
Example URL that works: https://www.yourwiki.com/index.php?title=Public:YourPageName
Example URL that does not work: https://www.yourwiki.com/index.php?title=Public:YourPageName&action=raw
This is an undesirable behavior.
I would really need public access to some pages (defined by $wgWhitelistReadRegexp[]) including the usage of the URL parameter "action=raw".

What should have happened instead?:
When access is available for a page defined by $wgWhitelistReadRegexp, of course the raw page data should also be accessable with the additional URL parameter "action=raw".

Version;
MediaWiki 1.39.0-beta (7144323)
PHP 7.4.3 (fpm-fcgi)
MySQL 8.0.30-0ubuntu0.20.04.2
ICU 66.1
Pygments 2.11.2

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL