Page MenuHomePhabricator

Do not allow to change move-protection settings without capability to move a page
Open, Needs TriagePublicBUG REPORT


Steps to reproduce:

  • Add the following in your LocalSettings.php:
$wgRestrictionLevels[] = 'edituserrightsprotected';
$wgGroupPermissions['bureaucrat']['edituserrightsprotected'] = true;
  • Log in as a bureaucrat
  • Protect a page under these parameters: "Edit: Allow only administrators"; "Move: Allow only users with "edituserrightsprotected" permission"
  • Log out and log back in as an administrator (non-bureaucrat) user
  • Go to change protection of the page

Expected result: It shows an enabled dropdown for edit-protection and a disabled dropdown for move-protection.

Actual result: It shows an enabled dropdown for edit-protection and an enabled dropdown for move-protection. It will propose to set move-protection to a sysop-level or lower. That allows simply lowering the protection level and entirely bypassing it.

Software version: Any MW version that supports separate page protections. I've tested on MediaWiki 1.38

Event Timeline

Vlad5250 triaged this task as Medium priority.Aug 18 2022, 7:13 PM
Vlad5250 raised the priority of this task from Medium to High.Sep 23 2022, 1:34 PM
Vlad5250 updated the task description. (Show Details)

@Vlad5250 Hi, do you plan to fix this yourself?

@Aklapper No, I just wanted to report a security bug. For nonexistent pages, there was such a bug which was already fixed (T259562). But, it's still actual for existent pages where edit protection level is lower than move protection level.

Found a comment for T296154#7531622 regarding to this issue:

We never had to complaint about eliminators fully protecting pages because eliminators can't protect/edit pages at sysop level. However, they can unprotect sysop move/upload protected pages (but not create), as long as those pages are not sysop/editinterface edit protected. This "logic" first appeared when adapted eliminator group seven years ago [...]