Last modified: 2012-12-13 11:17:48 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T39989, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 37989 - permissions must be checked on item creation
permissions must be checked on item creation
Status: VERIFIED FIXED
Product: MediaWiki extensions
Classification: Unclassified
WikidataRepo (Other open bugs)
master
All All
: Highest critical (vote)
: ---
Assigned To: Wikidata bugs
storypoints: 5
: testme
Depends on:
Blocks: 37588 38975
  Show dependency treegraph
 
Reported: 2012-06-27 16:36 UTC by Daniel Kinzler
Modified: 2012-12-13 11:17 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Daniel Kinzler 2012-06-27 16:36:15 UTC 
Currently, permissions are only checked correctly when modifying existing items, not when creating items. The reason is that permission checks are title based, but we can only have a title after the item has been recorded in the database. Which we don't want to do if the user shouldn't be allow to create the item.

So... make a dummy title? or just check user rights, and not title based permissions? 

Note: the ultimate permission check should be implemented in Item::save().
Comment 1 Daniel Kinzler 2012-06-27 20:36:50 UTC 
The simplest (and probably most robust solution) may be to construct a dummy Title for a page in the data namespace, e.g. Data:Q0, and call userCan() on that.

This would bypass page protection against creation as well as the title backlist and similar things, but these do not apply to the ID-based titles used by wikidata anyway.

(side note... should the title blacklist apply to item labels and aliases?)
Comment 2 denny vrandecic 2012-07-05 13:55:34 UTC 
Picked for sprint 9.
Comment 3 denny vrandecic 2012-08-09 12:25:52 UTC 
See ItemContent::UserCanEdit
Comment 4 denny vrandecic 2012-08-09 12:27:08 UTC 
Consider API wbsetitem({}) and the Special:CreateItem page.
Comment 5 Anja Jentzsch 2012-11-29 12:38:39 UTC 
Verified in Wikidata demo time for sprint 15
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links