Author: vbaites
Description:
I found out that in the version 1.5.7 when I am logout the label ‘edit’ does not
change from ‘edit’ to ‘source view’. After digging on the code I realize that
the function ‘userCan(action)’ defined on Title.php was not given the right
answer about if a user can or cannot edit a page.
From the line 941 on Title.php you have:
foreach( $this->getRestrictions($action) as $right ) { // Backwards compatibility, rewrite sysop -> protect if ( $right == 'sysop' ) { $right = 'protect'; } if( '' != $right && !$wgUser->isAllowed( $right ) ) { wfProfileOut( $fname ); return false; } } if( $action == 'move' && !( $this->isMovable() && $wgUser->isAllowed( 'move' ) ) ) { wfProfileOut( $fname ); return false; } wfProfileOut( $fname ); return true;
}
The problem was in the foreach section where the program asks for those groups
can execute the action. In the case user belongs sysop group the action is
changed to protect. But the rest of the loop no make sense due to the fact that
the function isAllowed is call with different group names but that function only
accepts actions. Therefore for other action to be verified like edit the
function always is going to return true.
I sugest this change:
- VEB
foreach( $this->getRestrictions($action) as $right ) { // Backwards compatibility, rewrite sysop -> protect if ( $right == 'sysop' ) { $right = 'protect'; if( '' != $right && !$wgUser->isAllowed( $right
) ) {
wfProfileOut( $fname ); return false; } } } if( $action == 'move' && !( $this->isMovable() && $wgUser->isAllowed( 'move' ) ) ) { wfProfileOut( $fname ); return false; } # VEB if( !$wgUser->isAllowed( $action ) ) { wfProfileOut( $fname ); return false; } wfProfileOut( $fname ); return true;
}
Where the block with mark VEB verifies for the remaining actions.
Victor
PS: by the way my full name is Victor E. Bazterra.
Version: 1.5.x
Severity: normal
OS: Linux
Platform: PC