Last modified: 2012-03-07 20:16:46 UTC
Until MediaWiki 1.11.2, when restricting access whith for example theses settings in LocalSettings.php : $wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['edit'] = false; $wgShowIPinHeader = false; # For non-logged in users $wgWhitelistRead = array( "Accueil", "Special:Userlogin", "Special:Listusers", "Aide:Aide", ); $wgGroupPermissions['*']['read'] = false; $wgGroupPermissions['user']['createaccount'] = true; it remained possible to have the full description of diffs within RSS feeds. Since MW 1.12 and MW 1.13, only remains the title and the author of the change. The diffs aren't present any more in the RSS although the feed is allready protected (can't be read without being logged in). How is it possible to have the diffs still present in RSS/Atom feeds when a wiki is read-protected ? Feeds help saving lots of time even on protected wikis !
Still current, got a complaint on internal.wikimedia.org and confirmed. Culprit seems to be a bogus permission check in FeedUtils::formatDiffRow(): //NOTE: Check permissions for anonymous users, not current user. // No "privileged" version should end up in the cache. // Most feed readers will not log in anway. $anon = new User(); $accErrors = $title->getUserPermissionsErrors( 'read', $anon, true ); On a fully-restricted site, anonymous viewers wouldn't be able to reach a feed at all, so this makes no sense -- you just end up with a feed that's just missing content for all the people who *can* read it. This might make sense on a partially-restricted site, where the feed is accessible but some pages can't be read by anon visitors... in which case you'd still be exposing various edit information that you likely ought not to.
(In reply to comment #1) > Still current, got a complaint on internal.wikimedia.org and confirmed. > > Culprit seems to be a bogus permission check in FeedUtils::formatDiffRow(): > > //NOTE: Check permissions for anonymous users, not current user. > // No "privileged" version should end up in the cache. > // Most feed readers will not log in anway. > $anon = new User(); > $accErrors = $title->getUserPermissionsErrors( 'read', $anon, true ); > > On a fully-restricted site, anonymous viewers wouldn't be able to reach a feed > at all, so this makes no sense -- you just end up with a feed that's just > missing content for all the people who *can* read it. > > This might make sense on a partially-restricted site, where the feed is > accessible but some pages can't be read by anon visitors... in which case you'd > still be exposing various edit information that you likely ought not to. It's good to feel understood :-) Any chance to see an evolution about that ? Could an existing extension help turn around the problem ?
Brion, > Culprit seems to be a bogus permission check in FeedUtils::formatDiffRow(): Do you suppose you could check out removing the bogus permission check and see what happens?
Thank you Mark for your interest in this problem. Does anyone have an idea of the evolution of this bug ?
(In reply to comment #4) > Does anyone have an idea of the evolution of this bug ? I'll bring it up in our next bug triage.
Experimental extension checked in today: http://www.mediawiki.org/wiki/Extension:FeedsFromPrivateWikis
Not planning to solve this for 1.18
(In reply to comment #7) > Not planning to solve this for 1.18 Any chance it can be solved with 1.19 ? Or does any one know how to make http://www.mediawiki.org/wiki/Extension:FeedsFromPrivateWikis compatible with 1.18 ?
(In reply to comment #8) > Or does any one know how to make > http://www.mediawiki.org/wiki/Extension:FeedsFromPrivateWikis compatible with > 1.18 ? I just tried it in 1.18 and didn't see any obvious problems. But I did not test thoroughly. What problems are you seeing?
(In reply to comment #9) > (In reply to comment #8) > > Or does any one know how to make > > http://www.mediawiki.org/wiki/Extension:FeedsFromPrivateWikis compatible with > > 1.18 ? > > I just tried it in 1.18 and didn't see any obvious problems. But I did not > test thoroughly. What problems are you seeing? Same problem as with the other Feed : it gives only the title of the modification, not it's content.
Did anybody try with MW 1.19 ?
