Last modified: 2014-08-12 16:05:10 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T29152, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 27152 - Using $wgRevokePermissions doesn't revoke protection permissions when the 'editprotected' permission is assigned
Using $wgRevokePermissions doesn't revoke protection permissions when the 'ed...
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Page protection (Other open bugs)
unspecified
All All
: Normal minor with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-02-04 06:35 UTC by $wgRevekePermissions with 'editprotected'
Modified: 2014-08-12 16:05 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description $wgRevekePermissions with 'editprotected' 2011-02-04 06:35:26 UTC 
If a user group is given the 'editprotected' right, and then a specific protection right is revoked, the revoking doesn't work.

For example:

$wgGroupPermissions['mygroup']['editprotected'] = true;
$wgRevokePermissions['mygroup']['mylevel'] = true;

I would expect that in this case, if a page was protected to the 'mylevel' level, then the 'mygroup' group would not be able to edit that page. The actual outcome is that revoking the 'mylevel' right has no affect.

In addition, if the 'mygroup' group also has the 'protect' permission, they can unprotect the page to a lower level.

For example:

$wgGroupPermissions['mygroup']['protect'] = true;
$wgGroupPermissions['mygroup']['editprotected'] = true;
$wgGroupPermissions['mygroup']['someotherlevel'] = true;
$wgRevokePermissions['mygroup']['mylevel'] = true;

I would expect that in this case, if a page was protected to the 'mylevel' level, then the 'mygroup' group would not be able to unprotect the page. The actual outcome is that they can unprotect it, and/or change the protection level to 'someotherlevel', which in my case is a lower level.
Comment 1 Mark A. Hershberger 2011-02-04 15:37:49 UTC 
Thanks for reporting this.  I can't help you at the moment, but I'll try to make sure someone who can has a look.
Comment 2 Chad H. 2011-02-04 18:43:22 UTC 
Adding CC of original author of the feature.
Comment 3 Ryan Schmidt 2011-02-05 04:05:35 UTC 
From my understanding, the purpose of the 'editprotected' permission is so that if you lack the permission to edit the page normally (in other words, you lack the permission that the page protection is set to), you would still be able to edit. Therefore, if my understanding is correct, then the correct behavior would be to allow editing any protected page no matter what permissions you have assigned or revoked.

If you remove the 'editprotected' permission from 'mygroup', then both of your cases should work as intended. If for some strange configuration reason you can't simply remove this permission, then please post exactly what sort of configuration you are trying to have so that I can either see why this bug needs to be "fixed" or if I can offer alternatives.
Comment 4 $wgRevekePermissions with 'editprotected' 2011-02-05 04:37:28 UTC 
(In reply to comment #3)
> From my understanding, the purpose of the 'editprotected' permission is so that
> if you lack the permission to edit the page normally (in other words, you lack
> the permission that the page protection is set to), you would still be able to
> edit. Therefore, if my understanding is correct, then the correct behavior
> would be to allow editing any protected page no matter what permissions you
> have assigned or revoked.
> 
> If you remove the 'editprotected' permission from 'mygroup', then both of your
> cases should work as intended. If for some strange configuration reason you
> can't simply remove this permission, then please post exactly what sort of
> configuration you are trying to have so that I can either see why this bug
> needs to be "fixed" or if I can offer alternatives.

Giving a specific permission to a group that also has the 'protect' right automatically gives them the ability to protect the page to that level, with no way of changing that. However, with 'editprotected', having the 'protect' right doesn't help unless you specifically have the right for one or more levels. What I was trying to do was give (in this example) 'mygroup' rights to edit all pages except 'mylevel', but only be able to 'protect' pages to 'someotherlevel'.
Comment 5 $wgRevekePermissions with 'editprotected' 2013-01-22 03:55:09 UTC 
Okay then, if this functionality isn't to be changed, what is the probability of having new functionality added for this? So that it's possible to give groups edit access to specific levels (but no protect/unprotect access), and edit access as well as protect/unprotect access to other levels.

Example code:

$wgGroupPermissions['mygroup']['mylevel'] = true // Give edit access to 'mylevel' for 'mygroup', no protect/unprotect access
$wgGroupPermissions['mygroup']['anotherlevel-protect'] = true // Give edit access as well as protect/unprotect access to 'mylevel' for 'mygroup'

Using the example above, the 'protect' right could be preserved for giving protect/unprotect access to all levels that the user has edit access to (same as the current functionality), similar to how 'editprotected' is a special case. I'm sure there are also other ways that this could be implemented as well.
Comment 6 Gerrit Notification Bot 2013-07-01 22:02:29 UTC 
Change 71536 had a related patch set uploaded by Anomie:
Fix protection rights usage

https://gerrit.wikimedia.org/r/71536
Comment 7 Gerrit Notification Bot 2013-07-04 05:43:22 UTC 
Change 71536 merged by jenkins-bot:
Fix protection rights usage

https://gerrit.wikimedia.org/r/71536
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links