Page MenuHomePhabricator

Upload page requires login even if permissions are set to allow
Closed, ResolvedPublic

Description

Author: bugzilla.wikimedia

Description:
This happened after an upgrade from v1.5.7 to v1.7.1 and appears to affect
v1.7.1. I have not tested on any other version.

The LocalSettings.php file has the following settings:

  1. Allow 'anonymous' uploads $wgGroupPermissions['*']['upload'] = true; $wgGroupPermissions['*']['reupload'] = true; $wgGroupPermissions['*']['reupload-shared'] = true;

Furthermore, there is an array that contains a list of permitted files (nothing
unusual, just the standard ones) and the $wgEnableUploads directive is set to true.

Users who were not logged in could upload before the upgrade, but the
Special:Upload page now informs those users that they must be logged in,
regardless of the settings. Logging into a basic account does, in fact, allow
uploads.

This issue has been confirmed on both upgraded and fresh MediaWiki 1.7.1
installations on Mac OS X 10.4 (PHP 5.1.1), Linux, and FreeBSD (sorry no versions).

The bug appears to be in includes/SpecialUpload.php, lines 107-115, where
permissions for uploading are checked:

107 if( $wgUser->isLoggedIn() ) {
108 if( !$wgUser->isAllowed( 'upload' ) ) {
109 $wgOut->permissionRequired( 'upload' );
110 return;
111 }
112 } else {
113 $wgOut->showErrorPage( 'uploadnologin', 'uploadnologintext' );
114 return;
115 }

It appears to be a logic flaw in that the "isAllowed" upload check is inside the
"isLoggedIn" check, which effectively forces the user to be logged in regardless
of settings.

Since previous versions have worked this way, and several installations I use
rely on this feature, the current version should be repaired to allow anonymous
to upload files if the settings are set to allow "*" users to upload.


Version: 1.7.x
Severity: normal

Details

Reference
bz7287

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:26 PM
bzimport set Reference to bz7287.
bzimport added a subscriber: Unknown Object (MLST).

ayg wrote:

Already fixed, r16199. Either upgrade to trunk or downgrade to 1.6.x if you
want the fix to be applied (my impression is that nobody usually bothers
backporting bug fixes unless they're security issues, but you could ask a dev to
backport it to 1.7 if you want).

rotemliss wrote:

The problem is already exist in 1.6.x, although it's not exist in 1.5.x. You can
patch your installation.

rotemliss wrote:

*** This bug has been marked as a duplicate of 5970 ***

Change 197112 had a related patch set uploaded (by Rush):
phab work around dupe exim waiting on T9287

https://gerrit.wikimedia.org/r/197112

Change 197112 merged by Rush:
phab work around dupe exim waiting on T9287

https://gerrit.wikimedia.org/r/197112

@chasemp I imagine that was upstream T9287, right?

my bad: T92879 was what I mean