Last modified: 2006-04-23 01:31:16 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T7685, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 5685 - Special:CheckUser is not shown in the special pages list, and is not well-defined as a special page
Special:CheckUser is not shown in the special pages list, and is not well-def...
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
CheckUser (Other open bugs)
unspecified
All All
: Normal minor with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
:
: 5692 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-22 16:09 UTC by Rotem Liss
Modified: 2006-04-23 01:31 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Rotem Liss 2006-04-22 16:09:52 UTC
The page [[Special:CheckUser]] is not shown in the spcial pages list, also not
for the users who have the permission "checkuser".

I've downloaded the extension for my computer, and attached myself to the group
"checkuser", but the page was not shown in the list, and browsing to
[[Special:CheckUser]] (in my computer, of course) was shown as "this special
page does not exist". I've checked CheckUser.php, and it indeed shows the
message "special page is not exist" if the user doesn't have the permission. The
permission "checkuser" wasn't shown in the array $wgUser->getRights() for me
("userrights" also wasn't shown, although I've installed Makesysop and attached
myself to the group "steward", so the problem that rights from custom groups is
a global problem), and the special page wasn't shown. If I replaced the search
in $wgUser->getRights() to the function $wgUser->isAllowed(), it worked for me.
I have no idea how does it work in Wikimedia projects.

When I changed the UnlistedSpecialpage to Specialpage, it appeared in the global
special pages list, so the extension does not define "checkuser" as the
restriction, but uses its own restriction. I suggest to define the restriction
of the special page as "checkuser" (and cancel the internal check whether the
user has the permission "checkuser" or not, because it should be done normally,
by the class SpecialPage), and to make it a listed special page.
Comment 1 Rob Church 2006-04-22 17:04:06 UTC
As far as I recall, the CheckUser code checks the user's permissions to use the
page before it even registers the existence of the page; the code is wrapped in
a large if statement which checks the user's permissions.

I am inclined to suspect this is deliberate, and I support this behaviour for
this particular extension.
Comment 2 Rotem Liss 2006-04-22 17:15:54 UTC
The page must be exist if the extension is installed, like [[Special:Makesysop]]
must be exist if the extension Makesysop is installed. The following code checks
the permissions:
if ( !in_array( 'checkuser', $wgUser->getRights() ) )
{
$wgOut->setArticleRelated( false );
$wgOut->setRobotpolicy( 'noindex,follow' );
$wgOut->errorpage( 'nosuchspecialpage', 'nospecialpagetext' );
return;
}
It just returns "nosuchspecialpage", which is wrong. Also, the extension is not
registered in [[Special:Version]] (although the function wfCheckUser is written
there), so it seems to be deliberate. However, why should it be so? Why should
we hide the fact this extension is exist? Only users with the group "checkuser"
can use it. We could also hide [[Special:Userrights]] this way, but why should
we do that?

However, the extension adds the group "checkuser" to the groups list, so
everybody can just check [[Special:Listusers]] and see if the extension is
installed. However, hiding the special page makes it harder to use the page (how
should the checkuser users know how is the page called?).

Also, I still don't understand how does the page check the permission, if
$wgUser->getRights() returns only the rights given from the regular groups, and
$wgUser->getGroups() returns only the regular groups.
Comment 3 Anders Wegge Jakobsen 2006-04-22 17:23:41 UTC
Considering that this extension is meant to be a vandalism discovery tool, my
guess is that the behaviour is deliberate.
Comment 4 Rotem Liss 2006-04-22 17:32:39 UTC
(In reply to comment #3)
> Considering that this extension is meant to be a vandalism discovery tool, my
> guess is that the behaviour is deliberate.

It should be shown for CheckUser users, however, because they *should* use it.
By the way, if we completely hide a special page (not in the list even for
authorized user, shows "page is not exist" instead of "you are not authorized"
when a user is not authorized, hidden from [[Special:Version]]) for added
security (although I don't know what security is added this way), why shouldn't
we hide [[Special:Userrights]]? A user can cause much more damage using this
tool. He probably cannot use it, and he also cannot use [[Special:CheckUser]],
so if we use the normal behavior, they are not shown in the special page list
for him, and he gets a permissions error when trying to access them. If we try
to hide this tool, why do we document it at all? I suppose there were long, long
discussions in every site about this feature. If a vandalist would like to know
about this feature, he will know. There is no reason to hide this feature, just
not to allow users without "checkuser" permission to access it, like we don't
allow users without "userrights" permission to access [[Special:Userrights]].
Comment 5 Rob Church 2006-04-22 17:38:25 UTC
(In reply to comment #2)
> The page must be exist if the extension is installed, like [[Special:Makesysop]]
> must be exist if the extension Makesysop is installed.

Well, to be pedantic about it, no, it doesn't; the extension can "opt" to make
the page available, or it could do a number of other things.

> It just returns "nosuchspecialpage", which is wrong.

It depends upon your scope. From the point of view of the user attempting to
access it with insufficient permissions; the page doesn't exist.

> Also, the extension is not
> registered in [[Special:Version]] (although the function wfCheckUser is written
> there), so it seems to be deliberate.

The function is listed there because Special:Version queries the
$wgExtensionsFunctions array; other "credits" are added to that page via the
$wgExtensionCredits array. The former is always set; the latter doesn't have to be.

> However, why should it be so? Why should
> we hide the fact this extension is exist? Only users with the group "checkuser"
> can use it. We could also hide [[Special:Userrights]] this way, but why should
> we do that?

CheckUser has been, and still is, considered a controversial extension used out
of sheer necessity. To newbies, there could be a misinterpretation of the name.
Some more experienced users still dislike it.

> However, hiding the special page makes it harder to use the page (how
> should the checkuser users know how is the page called?).

They will be explicitly aware of it, if they have permission to use it.

> Also, I still don't understand how does the page check the permission, if
> $wgUser->getRights() returns only the rights given from the regular groups, and
> $wgUser->getGroups() returns only the regular groups.

User::getRights() returns an array of all the rights a user has as a result of
their  group memberships. A user who is a member of the checkuser group will
have the checkuser right as a result of this. Please see includes/User.php for
more details.

Comment 6 Rotem Liss 2006-04-22 17:46:06 UTC
(In reply to comment #5)
> (In reply to comment #2)
> > Also, I still don't understand how does the page check the permission, if
> > $wgUser->getRights() returns only the rights given from the regular groups, and
> > $wgUser->getGroups() returns only the regular groups.
> 
> User::getRights() returns an array of all the rights a user has as a result of
> their  group memberships. A user who is a member of the checkuser group will
> have the checkuser right as a result of this. Please see includes/User.php for
> more details.
> 
In my installed wiki (latest trunk), User::getRights() returns only the rights
were given by the regular groups (for example, "delete" (which is granted by
"sysop") but not "checkuser" (it is granted by "checkuser") or "userrights"
(Makesysop is installed, so it is granted by "steward"). I will check it again.
Comment 7 Rotem Liss 2006-04-22 18:04:19 UTC
(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #2)
> > > Also, I still don't understand how does the page check the permission, if
> > > $wgUser->getRights() returns only the rights given from the regular
groups, and
> > > $wgUser->getGroups() returns only the regular groups.
> > 
> > User::getRights() returns an array of all the rights a user has as a result of
> > their  group memberships. A user who is a member of the checkuser group will
> > have the checkuser right as a result of this. Please see includes/User.php for
> > more details.
> > 
> In my installed wiki (latest trunk), User::getRights() returns only the rights
> were given by the regular groups (for example, "delete" (which is granted by
> "sysop") but not "checkuser" (it is granted by "checkuser") or "userrights"
> (Makesysop is installed, so it is granted by "steward"). I will check it again.

Ah, I was indeed wrong, and now it works well. Let's go back to the discussion
of the bug itself:

> > However, why should it be so? Why should
> > we hide the fact this extension is exist? Only users with the group "checkuser"
> > can use it. We could also hide [[Special:Userrights]] this way, but why should
> > we do that?
> 
> CheckUser has been, and still is, considered a controversial extension used out
> of sheer necessity. To newbies, there could be a misinterpretation of the name.
> Some more experienced users still dislike it.

We can cancel it, but of course we shouldn't do so because it should be used in
some cases. It's better that newbies will know everything about this extension
than they will know nothing but rumors. If we hide it, it's worse.

Also, maybe some users don't like the fact that pages can be deleted. Should we
hide the deletion log, etc.?

> > However, hiding the special page makes it harder to use the page (how
> > should the checkuser users know how is the page called?).
> 
> They will be explicitly aware of it, if they have permission to use > it.

How should they know about it? And if they know about it, the other users also
can know about it.
Comment 8 Brion Vibber 2006-04-22 18:56:14 UTC
Changed from unlisted to regular restricted listing in r13817.
Will now show in the restricted special page list for users with
CheckUser permission; as with all such pages it remains unlisted
for users without permission to use it.
Comment 9 Rob Church 2006-04-23 01:31:16 UTC
*** Bug 5692 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links