Last modified: 2011-06-07 18:27:30 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T30354, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 28354 - Edit tab is shown as "view source" for blocked users, which breaks squid caching
Edit tab is shown as "view source" for blocked users, which breaks squid caching
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Interface (Other open bugs)
1.18.x
All All
: High normal (vote)
: ---
Assigned To: Rob Lanphier
http://de.wikipedia.org/w/index.php?o...
: patch, patch-need-review
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-01 00:18 UTC by P.Copp
Modified: 2011-06-07 18:27 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Proposed fix: Skip user block checks for Title::quickUserCan() (1010 bytes, patch)
2011-04-01 00:18 UTC, P.Copp 		Details
Test addition for TitlePermissionTest.php (2.31 KB, patch)
2011-04-01 00:20 UTC, P.Copp 		Details
Add an attachment (proposed patch, testcase, etc.)

Description P.Copp 2011-04-01 00:18:17 UTC 
Created attachment 8355 [details]
Proposed fix: Skip user block checks for Title::quickUserCan()

In 1.16, unprotected pages showed an "edit" tab to the user, even if he was blocked from editing. In 1.17 this behavior has accidentally changed to show a "view source" tab for blocked users. This is problematic because the page is then cached in squid and shown to other, non-blocked users with the wrong tab.

The change has been caused by r65504, when Title::getUserPermissionsErrorsInternal (which is called for quickUserCan) was refactored to also check for user blocks. The attached patch fixes this by skipping the block checks for Title::quickUserCan. Note that the patch also removes an unnecessary check for "$short && count($errors)", this is handled by getUserPermissionsErrorsInternal() already.
Comment 1 P.Copp 2011-04-01 00:20:43 UTC 
Created attachment 8356 [details]
Test addition for TitlePermissionTest.php

A small unit test to check that quickUserCan() ignores blocks. I had to make some unrelated tweaks to Title.php to make the test work again, as it is currently broken on trunk.
Comment 2 Mark A. Hershberger 2011-04-26 03:38:31 UTC 
Comment from triage: "should be fixed if it is breaking caching, but the right thing may be to disable general caching if we find that you (user) are blocked?"

Could you apply your fix so we can test it?
Comment 3 Roan Kattouw 2011-04-26 15:30:10 UTC 
(In reply to comment #2)
> Comment from triage: "should be fixed if it is breaking caching, but the right
> thing may be to disable general caching if we find that you (user) are
> blocked?"
> 
And how would we do that? The caching happens on the Squid level and only looks at login cookies to let stuff through.
Comment 4 P.Copp 2011-05-03 13:20:50 UTC 
Fixed in r87326.

Note there's also bug5106 for the issue of showing the "view source" tab to blocked users.
Comment 5 Brion Vibber 2011-06-07 18:27:30 UTC 
Please see code review comment on r87326; the $short parameter on Title::checkUserBlock is no longer used. Is this deliberate? Does that need to be fixed, or removed, or changed?
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links