Author: ju.ju2004
Description:
I had some suprising results with 'userCan' hook: user was allowed to edit a page although the $result value returned by the function hooked was false. So I took a look at the code. Title::UserCan calls Title::getUserPermissionErrorsInternal which calls Title::checkPermissionHooks, which runs 'UserCan' hook. Here is a piece of this code :
private function checkPermissionHooks( $action, $user, $errors, $doExpensiveQueries, $short ) {
...
if ( !wfRunHooks( 'userCan', array( &$this, &$user, $action, &$result ) ) ) {
return $result ? array() : array( array( 'badaccess-group0' ) );
}
...
}
If the function called by hook 'userCan' (or 'getUserPermissionsErrors' or 'getUserPermissionsErrorsExpensive') returns true, the value of $result is never considered. That means that a false "$result" will have no effect on the result of Title::UserCan. Is this conscious ? Should my hook return $result instead of true ?
Version: 1.17.x
Severity: minor
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=34856