Page MenuHomePhabricator
Create Task
Maniphest T341002

Manually constructing action=delete URLs displays a deletion form instead of an error message
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

What happens?:

A deletion forms appears, despite logged out users not having the delete permission (nor bigdelete, which is needed to actually delete Prague from enwiki):

image.png (1×3 px, 520 KB)

Actually submitting the form gives me an error message both logged out and from an insufficiently privileged account.

What should have happened instead?:

An error message should be shown, along the lines of "You need to be an administrator".

Notes

This issue gave me a mini heart attack for a short while and for a while I thought "OMG, logged out users can delete pages now, what happened". This has also confused at least one administrator who thought "I am not actually supposed to be able to delete big pages" (with more than 5k) revisions. So, this should be fixed even though it apparently isn't connected with a security vulnerability.

Details

SubjectRepoBranchLines +/-
DeleteAction: Avoid displaying the form unconditionallymediawiki/corewmf/1.41.0-wmf.15+8 -3
DeleteAction: Avoid displaying the form unconditionallymediawiki/corewmf/1.41.0-wmf.16+8 -3
DeleteAction: Avoid displaying the form unconditionallymediawiki/coremaster+8 -3
Customize query in gerrit

Related Objects

Event Timeline

Urbanecm created this task.Jul 3 2023, 6:50 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 3 2023, 6:50 PM
Urbanecm updated the task description. (Show Details)Jul 3 2023, 6:50 PM
Func subscribed.Jul 3 2023, 7:29 PM

Again, caused by c3e43d31874eb874d4132c2caa68b7258d6b9a0b (T337304). These classes should be carefully reviewed in case they introduced more issues.

gerritbot added a comment.Jul 3 2023, 8:10 PM

Change 935127 had a related patch set uploaded (by Func; author: Func):

[mediawiki/core@master] DeleteAction: Avoid displaying the form unconditionally

https://gerrit.wikimedia.org/r/935127

gerritbot added a project: Patch-For-Review.Jul 3 2023, 8:10 PM
Ammarpad added a project: Regression.Jul 3 2023, 8:13 PM
Urbanecm assigned this task to Func.Jul 4 2023, 9:19 AM

Thanks for the fix!

gerritbot added a comment.Jul 4 2023, 9:33 AM

Change 935127 merged by jenkins-bot:

[mediawiki/core@master] DeleteAction: Avoid displaying the form unconditionally

https://gerrit.wikimedia.org/r/935127

gerritbot added a comment.Jul 4 2023, 9:36 AM

Change 935121 had a related patch set uploaded (by Urbanecm; author: Func):

[mediawiki/core@wmf/1.41.0-wmf.16] DeleteAction: Avoid displaying the form unconditionally

https://gerrit.wikimedia.org/r/935121

gerritbot added a comment.Jul 4 2023, 9:36 AM

Change 935122 had a related patch set uploaded (by Urbanecm; author: Func):

[mediawiki/core@wmf/1.41.0-wmf.15] DeleteAction: Avoid displaying the form unconditionally

https://gerrit.wikimedia.org/r/935122

ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.17; 2023-07-11).Jul 4 2023, 10:00 AM
gerritbot added a comment.Jul 4 2023, 1:35 PM

Change 935121 merged by jenkins-bot:

[mediawiki/core@wmf/1.41.0-wmf.16] DeleteAction: Avoid displaying the form unconditionally

https://gerrit.wikimedia.org/r/935121

Stashbot added a comment.Jul 4 2023, 1:35 PM

Mentioned in SAL (#wikimedia-operations) [2023-07-04T13:35:49Z] <lucaswerkmeister-wmde@deploy1002> Started scap: Backport for [[gerrit:935121|DeleteAction: Avoid displaying the form unconditionally (T341002)]]

Stashbot added a comment.Jul 4 2023, 1:37 PM

Mentioned in SAL (#wikimedia-operations) [2023-07-04T13:37:23Z] <lucaswerkmeister-wmde@deploy1002> urbanecm and lucaswerkmeister-wmde: Backport for [[gerrit:935121|DeleteAction: Avoid displaying the form unconditionally (T341002)]] synced to the testservers: mwdebug2002.codfw.wmnet, mwdebug1001.eqiad.wmnet, mwdebug1002.eqiad.wmnet, mwdebug2001.codfw.wmnet

Stashbot added a comment.Jul 4 2023, 1:44 PM

Mentioned in SAL (#wikimedia-operations) [2023-07-04T13:44:14Z] <lucaswerkmeister-wmde@deploy1002> Finished scap: Backport for [[gerrit:935121|DeleteAction: Avoid displaying the form unconditionally (T341002)]] (duration: 08m 25s)

gerritbot added a comment.Jul 4 2023, 1:57 PM

Change 935122 merged by jenkins-bot:

[mediawiki/core@wmf/1.41.0-wmf.15] DeleteAction: Avoid displaying the form unconditionally

https://gerrit.wikimedia.org/r/935122

Stashbot added a comment.Jul 4 2023, 1:57 PM

Mentioned in SAL (#wikimedia-operations) [2023-07-04T13:57:35Z] <lucaswerkmeister-wmde@deploy1002> Started scap: Backport for [[gerrit:935122|DeleteAction: Avoid displaying the form unconditionally (T341002)]]

Stashbot added a comment.Jul 4 2023, 1:59 PM

Mentioned in SAL (#wikimedia-operations) [2023-07-04T13:59:02Z] <lucaswerkmeister-wmde@deploy1002> lucaswerkmeister-wmde and urbanecm: Backport for [[gerrit:935122|DeleteAction: Avoid displaying the form unconditionally (T341002)]] synced to the testservers: mwdebug2002.codfw.wmnet, mwdebug1001.eqiad.wmnet, mwdebug1002.eqiad.wmnet, mwdebug2001.codfw.wmnet

ReleaseTaggerBot edited projects, added MW-1.41-notes (1.41.0-wmf.15; 2023-06-27); removed MW-1.41-notes (1.41.0-wmf.17; 2023-07-11).Jul 4 2023, 2:00 PM
Maintenance_bot removed a project: Patch-For-Review.Jul 4 2023, 2:10 PM
Stashbot added a comment.Jul 4 2023, 2:16 PM

Mentioned in SAL (#wikimedia-operations) [2023-07-04T14:16:16Z] <lucaswerkmeister-wmde@deploy1002> Finished scap: Backport for [[gerrit:935122|DeleteAction: Avoid displaying the form unconditionally (T341002)]] (duration: 18m 41s)

Func closed this task as Resolved.Jul 4 2023, 4:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits