Page MenuHomePhabricator
Create Task
Maniphest T420810

CentralNotice banner page lets people without permissions visually modify stuff
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

What happens?:

Various things are still editable:

  • The "translatable banner messages" dropdown (or maybe this is to view stuff, I can't tell)
  • The priority languages multiselect
  • The "Insert: close button" link is still functional and modifies the otherwise uneditable big textbox

What should have happened instead?:

The entire page is uneditable if you can't edit it.

Also:

Since you know in advance that only people who can edit the page can preview, the dysfunctional "Live preview" box should be hidden. And the pointless "you aren't authorized to preview" alert can go with it too.

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Disable banner-body textarea for users without banner edit permissionmediawiki/extensions/CentralNoticemaster+1 -0
Check edit permission for insert close button and banner translation UImediawiki/extensions/CentralNoticemaster+33 -18
Customize query in gerrit

Related Objects

Event Timeline

Pppery created this task.Mar 21 2026, 5:27 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 21 2026, 5:27 AM
Pppery mentioned this in T393834: CentralNotice campaign page lets people without permissions visually modify stuff.Mar 21 2026, 5:28 AM
Johannnes89 subscribed.Mar 21 2026, 9:39 AM
Johannnes89 added a comment.Mar 21 2026, 9:41 AM

Since you know in advance that only people who can edit the page can preview, the dysfunctional "Live preview" box should be hidden. And the pointless "you aren't authorized to preview" alert can go with it too.

Ideally the preview should just work for non-CN-admins, would make it much easier for them to check if a banner is correct (no need for onwiki preview)

gerritbot added a comment.Apr 5 2026, 12:41 PM

Change #1268090 had a related patch set uploaded (by Aude; author: Aude):

[mediawiki/extensions/CentralNotice@master] Check edit permission for insert close button and translatable form UI

https://gerrit.wikimedia.org/r/1268090

gerritbot added a project: Patch-For-Review.Apr 5 2026, 12:41 PM
aude mentioned this in T422366: Allow read-only CentralNotice banner preview for logged-in users without the centralnotice-admin right.EditedApr 6 2026, 10:53 AM
aude subscribed.

I submitted a patch (in volunteer capacity) to fix the issue with having editable fields visible on Special:CentralNoticeBanners/edit for users who do not have edit permissions.

To have preview work for users who do not have centralnotice-admin rights, I created another task:

https://phabricator.wikimedia.org/T422366

Johannnes89 added a comment.Apr 6 2026, 11:08 AM

Thanks! I believe your patch might solve T248217: Special:CentralNoticeBanners throws BannerPreviewPermissionsException on viewing as well?

aude added a project: WikiNYC Tech Committee.Apr 14 2026, 11:37 PM
aude moved this task from Backlog to In Progress on the WikiNYC Tech Committee board.
aude moved this task from In Progress to Code Review on the WikiNYC Tech Committee board.
saper subscribed.Apr 27 2026, 7:20 PM

I've run into this today, after running into the T248217 problem.

So we disable the editing completely, only to file T422366 to restore the preview?

This is strange.

saper added a comment.Apr 27 2026, 7:22 PM

It is also extremely frustrating to figure out what is going on. Maybe the JavaScript popup could refer the user to one of those Phabricator tickets?

It took me some time, JavaScript debugger, git checkout of the CentralNotice extension, some git grep for the error message to figure out we have a problem somewhere here in those at least 4 phabricator tickets.

Ciell subscribed.May 1 2026, 1:18 PM
aude added a project: Wikimedia-Hackathon-2026.May 2 2026, 12:35 PM
gerritbot added a comment.May 2 2026, 9:50 PM

Change #1268090 merged by jenkins-bot:

[mediawiki/extensions/CentralNotice@master] Check edit permission for insert close button and banner translation UI

https://gerrit.wikimedia.org/r/1268090

ReleaseTaggerBot added a project: MW-1.47-notes (1.47.0-wmf.1; 2026-05-05).May 2 2026, 10:00 PM
Maintenance_bot removed a project: Patch-For-Review.May 2 2026, 10:31 PM
gerritbot added a comment.May 3 2026, 1:47 PM

Change #1281989 had a related patch set uploaded (by Aude; author: Aude):

[mediawiki/extensions/CentralNotice@master] Disable banner-body textarea for non-CNadmins

https://gerrit.wikimedia.org/r/1281989

gerritbot added a project: Patch-For-Review.May 3 2026, 1:47 PM
gerritbot added a comment.May 3 2026, 2:37 PM

Change #1281989 merged by jenkins-bot:

[mediawiki/extensions/CentralNotice@master] Disable banner-body textarea for users without banner edit permission

https://gerrit.wikimedia.org/r/1281989

Maintenance_bot removed a project: Patch-For-Review.May 3 2026, 3:31 PM
Aklapper moved this task from Backlog to Proposed Projects on the Wikimedia-Hackathon-2026 board.May 4 2026, 9:12 AM
aude claimed this task.Sat, May 23, 3:50 PM

This was fixed at the hackathon in Milan, with a [ Preview on wiki ] link (done in T422366) for non-CentralNotice admins to preview the banners.

aude closed this task as Resolved.Sat, May 23, 3:52 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits