Last modified: 2007-01-02 18:58:21 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 8462 - Private pages can be transcluded into public pages
Private pages can be transcluded into public pages
Product: MediaWiki
Classification: Unclassified
Page editing (Other open bugs)
All All
: Lowest enhancement with 2 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2007-01-02 15:27 UTC by Angela
Modified: 2007-01-02 18:58 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Angela 2007-01-02 15:27:49 UTC
A wiki has mostly private pages (only viewable and editable by logged in users)
and account creation restricted. The wiki allows public comments on one page.

However, users can type {{:Village pump}} on the public page to view private

Transclusion of private pages should not be allowed.

Partly related to
Comment 1 Rob Church 2007-01-02 15:33:18 UTC
Surprise, surprise; when people start hacking about with their configuration to
get MediaWiki to do something it was never intended to do, things don't work as

There is no such thing as a "private page". Blocking all users from reading all
but a few pages is fine, but then not preventing them from editing is obviously
going to yield unwanted results.

Fixing this one requires major changes to the transclusion engine in the parser,
and would make caching far less effective than it is already.
Comment 2 Anders Wegge Jakobsen 2007-01-02 15:34:53 UTC
Mediawiki does not have private pages. Various patches claims to provide this,
but as they are not part of the mediawiki base, this bug is invalid.
Comment 3 Angela 2007-01-02 15:45:29 UTC
Wegge, this isn't about an extension. It's the $wgGroupPermissions setting which
does allow for private pages - all non-whitelisted pages are supposed to made
private with this setting.

$wgGroupPermissions['*']['read'] = false; makes the non-whitelisted pages
private. Only it isn't working since those pages can still be read by
transcluding them in other pages. is not viewable to
unlogged in users, but it appears on the main page. In this case, that's fine
since a registered user chose to put it there, but an unregistered user could do
that with any page if one page was editable.
Comment 4 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-01-02 17:22:31 UTC
Read whitelists for a private wiki are intended to allow something like reading
the main page (so they can see what the site is about) and Special:Userlogin (so
they can log in).  They are not supposed to be used to allow editing of even a
single page, which opens up this vulnerability.  As the comment in
DefaultSettings.php says:

 * Functionality to make pages inaccessible has not been extensively tested
 * for security. Use at your own risk!

This is not a bug.  It's a lack of functionality, which is presently deliberate.
Comment 5 Brion Vibber 2007-01-02 18:58:21 UTC
There is no support for mixed public/private editing in MediaWiki. Trying to
hack in a patch here will just leave a thousand other holes open.


Note You need to log in before you can comment on or make changes to this bug.