Last modified: 2010-05-15 15:41:05 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 7287 - Upload page requires login even if permissions are set to allow
Upload page requires login even if permissions are set to allow
Status: RESOLVED DUPLICATE of bug 5970
Product: MediaWiki
Classification: Unclassified
Uploading (Other open bugs)
1.7.x
All All
: Normal normal with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-11 00:29 UTC by Chris Mospaw
Modified: 2010-05-15 15:41 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Chris Mospaw 2006-09-11 00:29:15 UTC
This happened after an upgrade from v1.5.7 to v1.7.1 and appears to affect
v1.7.1. I have not tested on any other version.

The LocalSettings.php file has the following settings:

    # Allow 'anonymous' uploads
    $wgGroupPermissions['*']['upload'] = true;
    $wgGroupPermissions['*']['reupload'] = true;
    $wgGroupPermissions['*']['reupload-shared'] = true;

Furthermore, there is an array that contains a list of permitted files (nothing
unusual, just the standard ones) and the $wgEnableUploads directive is set to true.

Users who were not logged in could upload before the upgrade, but the
Special:Upload page now informs those users that they must be logged in,
regardless of the settings. Logging into a basic account does, in fact, allow
uploads.

This issue has been confirmed on both upgraded and fresh MediaWiki 1.7.1
installations on Mac OS X 10.4 (PHP 5.1.1), Linux, and FreeBSD (sorry no versions).

The bug appears to be in includes/SpecialUpload.php, lines 107-115, where
permissions for uploading are checked:

107  if( $wgUser->isLoggedIn() ) {
108    if( !$wgUser->isAllowed( 'upload' ) ) {
109      $wgOut->permissionRequired( 'upload' );
110      return;
111    }
112  } else {
113    $wgOut->showErrorPage( 'uploadnologin', 'uploadnologintext' );
114    return;
115  }

It appears to be a logic flaw in that the "isAllowed" upload check is inside the
"isLoggedIn" check, which effectively forces the user to be logged in regardless
of settings.

Since previous versions have worked this way, and several installations I use
rely on this feature, the current version should be repaired to allow anonymous
to upload files if the settings are set to allow "*" users to upload.
Comment 1 Aryeh Gregor (not reading bugmail, please e-mail directly) 2006-09-11 03:27:10 UTC
Already fixed, r16199.  Either upgrade to trunk or downgrade to 1.6.x if you
want the fix to be applied (my impression is that nobody usually bothers
backporting bug fixes unless they're security issues, but you could ask a dev to
backport it to 1.7 if you want).
Comment 2 Rotem Liss 2006-09-11 16:01:16 UTC
The problem is already exist in 1.6.x, although it's not exist in 1.5.x. You can
patch your installation.
Comment 3 Rotem Liss 2006-09-11 16:01:26 UTC

*** This bug has been marked as a duplicate of 5970 ***

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links