Last modified: 2010-05-15 15:41:05 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T9287, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 7287 - Upload page requires login even if permissions are set to allow
Upload page requires login even if permissions are set to allow
Status: RESOLVED DUPLICATE of bug 5970
Product: MediaWiki
Classification: Unclassified
Uploading (Other open bugs)
All All
: Normal normal with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2006-09-11 00:29 UTC by Chris Mospaw
Modified: 2010-05-15 15:41 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Chris Mospaw 2006-09-11 00:29:15 UTC
This happened after an upgrade from v1.5.7 to v1.7.1 and appears to affect
v1.7.1. I have not tested on any other version.

The LocalSettings.php file has the following settings:

    # Allow 'anonymous' uploads
    $wgGroupPermissions['*']['upload'] = true;
    $wgGroupPermissions['*']['reupload'] = true;
    $wgGroupPermissions['*']['reupload-shared'] = true;

Furthermore, there is an array that contains a list of permitted files (nothing
unusual, just the standard ones) and the $wgEnableUploads directive is set to true.

Users who were not logged in could upload before the upgrade, but the
Special:Upload page now informs those users that they must be logged in,
regardless of the settings. Logging into a basic account does, in fact, allow

This issue has been confirmed on both upgraded and fresh MediaWiki 1.7.1
installations on Mac OS X 10.4 (PHP 5.1.1), Linux, and FreeBSD (sorry no versions).

The bug appears to be in includes/SpecialUpload.php, lines 107-115, where
permissions for uploading are checked:

107  if( $wgUser->isLoggedIn() ) {
108    if( !$wgUser->isAllowed( 'upload' ) ) {
109      $wgOut->permissionRequired( 'upload' );
110      return;
111    }
112  } else {
113    $wgOut->showErrorPage( 'uploadnologin', 'uploadnologintext' );
114    return;
115  }

It appears to be a logic flaw in that the "isAllowed" upload check is inside the
"isLoggedIn" check, which effectively forces the user to be logged in regardless
of settings.

Since previous versions have worked this way, and several installations I use
rely on this feature, the current version should be repaired to allow anonymous
to upload files if the settings are set to allow "*" users to upload.
Comment 1 Aryeh Gregor (not reading bugmail, please e-mail directly) 2006-09-11 03:27:10 UTC
Already fixed, r16199.  Either upgrade to trunk or downgrade to 1.6.x if you
want the fix to be applied (my impression is that nobody usually bothers
backporting bug fixes unless they're security issues, but you could ask a dev to
backport it to 1.7 if you want).
Comment 2 Rotem Liss 2006-09-11 16:01:16 UTC
The problem is already exist in 1.6.x, although it's not exist in 1.5.x. You can
patch your installation.
Comment 3 Rotem Liss 2006-09-11 16:01:26 UTC

*** This bug has been marked as a duplicate of 5970 ***

Note You need to log in before you can comment on or make changes to this bug.