Page MenuHomePhabricator
Create Task
Maniphest T36303

Comments: Server must reject comments if they come from users without "comment" right.
Closed, ResolvedPublic
Actions

Description

Author: van.de.bugger

Description:
Trivial patch.

Hi,

If user does not have "comment" right, hiding edit field is not enough. Sever must also validate user rights and reject comments coming from user with no "comment" right, otherwise smart guys can post comment.

Version: unspecified
Severity: normal

Attached:

002-no-comments-accepted-if-not-allowed.patch5 KBDownload

Details

Reference
bz34303

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:18 AM
bzimport added a project: MediaWiki-extensions-Comments.
bzimport set Reference to bz34303.
bzimport created this task.Feb 9 2012, 7:08 PM
bzimport added a comment.Feb 9 2012, 7:15 PM

van.de.bugger wrote:

The same issue for voting. See the next function, wfCommentVote:

// Blocked users cannot vote, obviously
if( $wgUser->isBlocked() ) {

return '';

}

Must be

// Blocked users cannot vote, obviously
if( ! $wgUser->isAllowed( 'comment' ) || $wgUser->isBlocked() ) {

return '';

}

bzimport added a comment.Feb 9 2012, 7:31 PM

van.de.bugger wrote:

Hmm... Similar issue for other conditions: checking conditions on UI side is not enough. For example, hiding vote buttons at user's own messages is not enough, server side should recheck all the conditions and reject invalid operations.

I was able to add a vote to y own messages...

bzimport added a comment.Feb 10 2012, 8:44 PM

sumanah wrote:

Hey, Van, I'm adding the "patch" and "need-review" keywords here to indicate that the patch awaits review.

There's been a bit of a delay in the review of patches here -- as we prepare to get a new version out, we're in a "code slush" during which we concentrate on reviewing code that has already been committed to our source code repository (see http://thread.gmane.org/gmane.science.linguistics.wikipedia.technical/57950 for more details). But we'll try to respond to your contribution soon. Thanks for the patch!

MarkAHershberger added a comment.Feb 11 2012, 7:30 PM

If you provide a fuller patch covering all the conditions you think should be covered, then I can apply it. Please see https://www.mediawiki.org/wiki/How_to_become_a_MediaWiki_hacker#Submit_your_changes for more info on how to do this, if needed.

ashley added a comment.Jul 15 2012, 4:20 PM

Thanks for the patch Van, I've committed a patch based on yours to SVN in r115613, which adds user rights checking to two AJAX functions, wfCommentSubmit and wfCommentVote. Now the AJAX interface correctly enforeces user rights and users who do not have the 'comment' user right can no longer submit new comments or vote on existing comments.

I believe that this should be about it and I'm suggesting closing this as RESOLVED FIXED, unless new issues pop up.

bzimport added a comment.Jul 16 2012, 5:28 PM

van.de.bugger wrote:

Hi,

I thought process is: If you committed the fix, please move it to RESOLVED state. When I check the fix I will move record to VERIFIED state. Then you can move it to CLOSED.

ashley added a comment.Aug 24 2012, 9:32 AM

Closing the bug as the fix has been committed a while ago.

Aklapper added a project: Social-Tools.Jan 21 2015, 2:35 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits