Page MenuHomePhabricator
Create Task
Maniphest T315602

Do not allow to change move-protection settings without capability to move a page
Open, Needs TriagePublicBUG REPORT
Actions

Description

Steps to reproduce:

  • Add the following in your LocalSettings.php:
$wgRestrictionLevels[] = 'edituserrightsprotected';
$wgGroupPermissions['bureaucrat']['edituserrightsprotected'] = true;
  • Log in as a bureaucrat
  • Protect a page under these parameters: "Edit: Allow only administrators"; "Move: Allow only users with "edituserrightsprotected" permission"
  • Log out and log back in as an administrator (non-bureaucrat) user
  • Go to change protection of the page

Expected result: It shows an enabled dropdown for edit-protection and a disabled dropdown for move-protection.

Actual result: It shows an enabled dropdown for edit-protection and an enabled dropdown for move-protection. It will propose to set move-protection to a sysop-level or lower. That allows simply lowering the protection level and entirely bypassing it.

Software version: Any MW version that supports separate page protections. I've tested on MediaWiki 1.38

Related Objects

Event Timeline

Vlad5250 created this task.Aug 18 2022, 7:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 18 2022, 7:11 PM
Vlad5250 triaged this task as Medium priority.Aug 18 2022, 7:13 PM
Vlad5250 raised the priority of this task from Medium to High.Sep 23 2022, 1:34 PM
Vlad5250 updated the task description. (Show Details)
Aklapper added a comment.Sep 23 2022, 3:24 PM

@Vlad5250 Hi, do you plan to fix this yourself?

Vlad5250 added a comment.Sep 23 2022, 3:35 PM

@Aklapper No, I just wanted to report a security bug. For nonexistent pages, there was such a bug which was already fixed (T259562). But, it's still actual for existent pages where edit protection level is lower than move protection level.

Aklapper raised the priority of this task from High to Needs Triage.Sep 23 2022, 4:16 PM

Thanks. Resetting priority per last comment.

Vlad5250 added a comment.Nov 16 2022, 2:13 PM

Found a comment for T296154#7531622 regarding to this issue:

We never had to complaint about eliminators fully protecting pages because vi.wiki eliminators can't protect/edit pages at sysop level. However, they can unprotect sysop move/upload protected pages (but not create), as long as those pages are not sysop/editinterface edit protected. This "logic" first appeared when vi.wiki adapted eliminator group seven years ago [...]

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits