Last modified: 2011-03-13 18:05:58 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T18344, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 16344 - Major security flaw in protecting pages
Major security flaw in protecting pages
Status: RESOLVED WONTFIX
Product: MediaWiki
Classification: Unclassified
Page protection (Other open bugs)
1.14.x
All All
: Lowest major (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-15 03:47 UTC by Techman224
Modified: 2011-03-13 18:05 UTC (History)
2 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Techman224 2008-11-15 03:47:17 UTC 
When you add a right in Mediawiki to be used for page protecting, lets say founder, I've went to protect a page, and I've set editing to sysops only and move permissions to founders only. I've then created a account and only gave it sysop rights only, I was able to edit the move rights to a lower level. If a test account with admin rights can do it, so then any other administrator can.
Comment 1 Charles Melbye 2008-11-15 03:49:00 UTC 
This is a problem with his wiki host, YourWiki. I've instructed him to move his request to our Support Desk there. Changing to closed.
Comment 2 Brett Hillebrand 2008-11-15 03:52:08 UTC 
If you also add protect as a protection type that will stop this happening.
Comment 3 Charles Melbye 2008-11-15 03:55:17 UTC 
Do you mean a "restriction level"? Or something different?
Comment 4 Brett Hillebrand 2008-11-15 03:57:53 UTC 
Yes , Example Given

$wgRestrictionLevels = array ( '', 'autoconfirmed', 'sysop', 'Staff' );
$wgRestrictionTypes = array( 'edit', 'move', 'delete', 'protect' );

Note how protection itself is a protection type.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links