Page MenuHomePhabricator
Create Task
Maniphest T350347

Blocks should not apply to implicit rights
Closed, ResolvedPublic
Actions

Description

Implicit rights represent actions granted to all users. They can be rate limited, but not revoked. This indicates that the authorizeXXX methods on Authority should return true for these rights unless a rate limit is hit, regardless of whether the user is blocked. Letting such checks fail for blocked users has caused bugs such as T350202 and T350117.

For reference, the current list of implicit rights defined by core is defined in PermissionManager:

private const CORE_IMPLICIT_RIGHTS = [
		'renderfile',
		'renderfile-nonstandard',
		'stashedit',
		'stashbasehtml',
		'mailpassword',
		'changeemail',
		'confirmemail',
		'linkpurge',
		'purge',
	];

Extensions add to this list when they specify a rate limit for an action that is not also defined as a group permission.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
block,Permissions: Blocks should not apply to implicit rightsmediawiki/coreREL1_41+39 -3
block,Permissions: Blocks should not apply to implicit rightsmediawiki/coremaster+34 -3
Customize query in gerrit

Related Objects

Event Timeline

daniel created this task.Nov 2 2023, 8:44 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 2 2023, 8:44 AM
daniel added parent tasks: T346927: Release MW 1.41.0-rc.0, T346919: Release MediaWiki 1.41.0.Nov 2 2023, 8:45 AM
gerritbot added a comment.Nov 2 2023, 8:45 AM

Change 970858 had a related patch set uploaded (by Daniel Kinzler; author: Daniel Kinzler):

[mediawiki/core@master] Blocks should not apply to implicite rights.

https://gerrit.wikimedia.org/r/970858

gerritbot added a project: Patch-For-Review.Nov 2 2023, 8:45 AM
Aklapper added projects: MediaWiki-Blocks, MW-1.41-release.Nov 2 2023, 8:57 AM
Aklapper removed parent tasks: T346919: Release MediaWiki 1.41.0, T346927: Release MW 1.41.0-rc.0.
Umherirrender subscribed.Nov 2 2023, 7:37 PM

For the 'purge' action there are explicit checks in index.php and api.php for blocks due to T280226: CVE-2021-35197: Blocked users should not be able to issue purges (action=purge)
Feels like it could regress easily when PermissionManager skips the checks now, but it works with the existing checks in PurgeAction and ApiPurge class.

gerritbot added a comment.Nov 6 2023, 5:31 PM

Change 970858 merged by jenkins-bot:

[mediawiki/core@master] block,Permissions: Blocks should not apply to implicit rights

https://gerrit.wikimedia.org/r/970858

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.4; 2023-11-07).Nov 6 2023, 6:00 PM
gerritbot added a comment.Nov 6 2023, 6:02 PM

Change 972002 had a related patch set uploaded (by Daniel Kinzler; author: Daniel Kinzler):

[mediawiki/core@REL1_41] block,Permissions: Blocks should not apply to implicit rights

https://gerrit.wikimedia.org/r/972002

gerritbot added a comment.Nov 6 2023, 9:36 PM

Change 972002 merged by jenkins-bot:

[mediawiki/core@REL1_41] block,Permissions: Blocks should not apply to implicit rights

https://gerrit.wikimedia.org/r/972002

ReleaseTaggerBot added a project: MW-1.41-notes.Nov 6 2023, 10:00 PM
Maintenance_bot removed a project: Patch-For-Review.Nov 6 2023, 10:11 PM
Jdforrester-WMF renamed this task from Blocks should not apply to implicite rights to Blocks should not apply to implicit rights.Nov 6 2023, 10:49 PM
Jdforrester-WMF closed this task as Resolved.
Jdforrester-WMF assigned this task to daniel.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits