Page MenuHomePhabricator
Create Task
Maniphest T39588

make sure page protection works for data items
Closed, ResolvedPublic
Actions

Description

MediaWiki supports different levels of page protected. We should make sure this protection is applied to changes to wikidata items.

If Title::userCan() is used everywhere to check access before any modifications are applied, this *should* be sufficient, as that is supposed to check page protection too.

It's a bit unclear to me on what level the checks should be performed. Probably, the API should check, and perhaps Item::save should check again.

There should also be unit tests checking that user permissions and page protection are working.

Version: master
Severity: blocker
Whiteboard: storypoints: 2

Details

Reference
bz37588

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 22 2014, 12:23 AM
bzimport added projects: MediaWiki-extensions-WikibaseRepository, TestMe.
bzimport set Reference to bz37588.
bzimport added a subscriber: Unknown Object (MLST).
daniel created this task.Jun 14 2012, 11:38 AM
jeblad added a comment.Jun 25 2012, 6:55 PM

Changed isAllowed with userCan, but it seems like the page is a bit overly protective as a blocked user can't see the content at all. Perhaps its only my setup?

jeblad added a comment.Jun 25 2012, 6:58 PM

Approx idea for permissions/protections is that page protection and user blocking forms a lower bound on protecting page content with "userCan", and a more fine grained permission is built on top of that with "isAllowed". For now individual calls to content changing calls to the API is guarded, but later individual fields could be protected if necessary.

daniel added a comment.Jun 26 2012, 9:36 AM

Blocked users should be able to read, unless the wiki is private (reading is not allowed for anons) and wgBlockDisablesLogin is set.

Please compare the behavior for item pages to the behavior for wikitext pages. It should be the same wrt blocking/protection.

daniel added a comment.Jun 26 2012, 12:49 PM

Note: ItemViewAction needs to return false from requiresUnblock(), otherwise blocked users can't view. Maybe ItemViewAction should just extend ViewAction? Will look at this in the context of bug 37682.

jeblad added a comment.Jun 26 2012, 12:52 PM

Created attachment 10796
Screendump showing the effect of the block message on the page display.

Attached:

Bug_37588.png (751×1 px, 87 KB)

jeblad added a comment.Jun 27 2012, 1:09 PM

Changes in patchset https://gerrit.wikimedia.org/r/#/c/12907/

Denny added a comment.Jun 28 2012, 10:27 AM

Write tests for this.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL