Page MenuHomePhabricator
Create Task
Maniphest T362536

System message "Badaccess-groups" contradiction
Open, Needs TriagePublicBUG REPORT
Actions

Assigned To
None
Authored By
Wilf233
Mon, Apr 15, 2:16 PM
Tags
Referenced Files
Unknown Object (File)
Tue, Apr 16, 4:09 AM
Unknown Object (File)
Mon, Apr 15, 3:46 PM
F46776222: image.png
Mon, Apr 15, 2:16 PM
F46776026: image.png
Mon, Apr 15, 2:16 PM
Subscribers
Aklapper
Anterdc99
Dianliang233
Wilf233

Description

Steps to replicate the issue:

  • Log in Chinese Minecraft Wiki in an account with "patrollers", "users" and "autoconfirmed" user groups only. (This user group contains user rights browsearchive and undelete, but without the rights editinterface.) You can see the user group rights here.
  • View deleted pages in MediaWiki namespace. Here is an example.

What happens?:
A system message says,
You do not have permission to view metadata of deleted history entries, for the following reason:
The action you have requested is limited to users in one of the groups: Sysadmins, patrollers, CATS, Administrators.

What should have happened instead?:
The user group in the system message should not include "patrollers", like
You do not have permission to view metadata of deleted history entries, for the following reason:
The action you have requested is limited to users in one of the groups: Sysadmins, CATS, Administrators.

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):
1.41.1

Other information (browser name/version, screenshots, etc.):

image.png (540×2 px, 119 KB)

image.png (210×674 px, 20 KB)

Details

SubjectRepoBranchLines +/-
PermissionManager: Allow some readonly user rights bypass NSProtectionmediawiki/coremaster+6 -0
Customize query in gerrit

Related Objects

Event Timeline

Wilf233 created this task.Mon, Apr 15, 2:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMon, Apr 15, 2:16 PM
Wilf233 attached a referenced file: F46776026: image.png. (Show Details)Mon, Apr 15, 2:18 PM
Aklapper added projects: MediaWiki-General, Voice & Tone.Mon, Apr 15, 2:20 PM
Anterdc99 subscribed.EditedMon, Apr 15, 3:39 PM

Can confirm in MediaWiki 1.43.0-alpha (c67d907), seems caused by the permission checker can not properly handle namespace protection.

The undelete link also shows, might related to this.

Shizhao added a project: Chinese-Sites.Tue, Apr 16, 2:58 AM
Dianliang233 subscribed.Tue, Apr 16, 5:29 AM
gerritbot added a comment.Tue, Apr 16, 4:28 PM

Change #1020285 had a related patch set uploaded (by Anterdc99; author: Anterdc99):

[mediawiki/core@master] PermissionManager: Allow some readonly user rights bypass NSProtection

https://gerrit.wikimedia.org/r/1020285

gerritbot added a project: Patch-For-Review.Tue, Apr 16, 4:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL