Last modified: 2006-04-23 01:31:16 UTC
The page [[Special:CheckUser]] is not shown in the spcial pages list, also not for the users who have the permission "checkuser". I've downloaded the extension for my computer, and attached myself to the group "checkuser", but the page was not shown in the list, and browsing to [[Special:CheckUser]] (in my computer, of course) was shown as "this special page does not exist". I've checked CheckUser.php, and it indeed shows the message "special page is not exist" if the user doesn't have the permission. The permission "checkuser" wasn't shown in the array $wgUser->getRights() for me ("userrights" also wasn't shown, although I've installed Makesysop and attached myself to the group "steward", so the problem that rights from custom groups is a global problem), and the special page wasn't shown. If I replaced the search in $wgUser->getRights() to the function $wgUser->isAllowed(), it worked for me. I have no idea how does it work in Wikimedia projects. When I changed the UnlistedSpecialpage to Specialpage, it appeared in the global special pages list, so the extension does not define "checkuser" as the restriction, but uses its own restriction. I suggest to define the restriction of the special page as "checkuser" (and cancel the internal check whether the user has the permission "checkuser" or not, because it should be done normally, by the class SpecialPage), and to make it a listed special page.
As far as I recall, the CheckUser code checks the user's permissions to use the page before it even registers the existence of the page; the code is wrapped in a large if statement which checks the user's permissions. I am inclined to suspect this is deliberate, and I support this behaviour for this particular extension.
The page must be exist if the extension is installed, like [[Special:Makesysop]] must be exist if the extension Makesysop is installed. The following code checks the permissions: if ( !in_array( 'checkuser', $wgUser->getRights() ) ) { $wgOut->setArticleRelated( false ); $wgOut->setRobotpolicy( 'noindex,follow' ); $wgOut->errorpage( 'nosuchspecialpage', 'nospecialpagetext' ); return; } It just returns "nosuchspecialpage", which is wrong. Also, the extension is not registered in [[Special:Version]] (although the function wfCheckUser is written there), so it seems to be deliberate. However, why should it be so? Why should we hide the fact this extension is exist? Only users with the group "checkuser" can use it. We could also hide [[Special:Userrights]] this way, but why should we do that? However, the extension adds the group "checkuser" to the groups list, so everybody can just check [[Special:Listusers]] and see if the extension is installed. However, hiding the special page makes it harder to use the page (how should the checkuser users know how is the page called?). Also, I still don't understand how does the page check the permission, if $wgUser->getRights() returns only the rights given from the regular groups, and $wgUser->getGroups() returns only the regular groups.
Considering that this extension is meant to be a vandalism discovery tool, my guess is that the behaviour is deliberate.
(In reply to comment #3) > Considering that this extension is meant to be a vandalism discovery tool, my > guess is that the behaviour is deliberate. It should be shown for CheckUser users, however, because they *should* use it. By the way, if we completely hide a special page (not in the list even for authorized user, shows "page is not exist" instead of "you are not authorized" when a user is not authorized, hidden from [[Special:Version]]) for added security (although I don't know what security is added this way), why shouldn't we hide [[Special:Userrights]]? A user can cause much more damage using this tool. He probably cannot use it, and he also cannot use [[Special:CheckUser]], so if we use the normal behavior, they are not shown in the special page list for him, and he gets a permissions error when trying to access them. If we try to hide this tool, why do we document it at all? I suppose there were long, long discussions in every site about this feature. If a vandalist would like to know about this feature, he will know. There is no reason to hide this feature, just not to allow users without "checkuser" permission to access it, like we don't allow users without "userrights" permission to access [[Special:Userrights]].
(In reply to comment #2) > The page must be exist if the extension is installed, like [[Special:Makesysop]] > must be exist if the extension Makesysop is installed. Well, to be pedantic about it, no, it doesn't; the extension can "opt" to make the page available, or it could do a number of other things. > It just returns "nosuchspecialpage", which is wrong. It depends upon your scope. From the point of view of the user attempting to access it with insufficient permissions; the page doesn't exist. > Also, the extension is not > registered in [[Special:Version]] (although the function wfCheckUser is written > there), so it seems to be deliberate. The function is listed there because Special:Version queries the $wgExtensionsFunctions array; other "credits" are added to that page via the $wgExtensionCredits array. The former is always set; the latter doesn't have to be. > However, why should it be so? Why should > we hide the fact this extension is exist? Only users with the group "checkuser" > can use it. We could also hide [[Special:Userrights]] this way, but why should > we do that? CheckUser has been, and still is, considered a controversial extension used out of sheer necessity. To newbies, there could be a misinterpretation of the name. Some more experienced users still dislike it. > However, hiding the special page makes it harder to use the page (how > should the checkuser users know how is the page called?). They will be explicitly aware of it, if they have permission to use it. > Also, I still don't understand how does the page check the permission, if > $wgUser->getRights() returns only the rights given from the regular groups, and > $wgUser->getGroups() returns only the regular groups. User::getRights() returns an array of all the rights a user has as a result of their group memberships. A user who is a member of the checkuser group will have the checkuser right as a result of this. Please see includes/User.php for more details.
(In reply to comment #5) > (In reply to comment #2) > > Also, I still don't understand how does the page check the permission, if > > $wgUser->getRights() returns only the rights given from the regular groups, and > > $wgUser->getGroups() returns only the regular groups. > > User::getRights() returns an array of all the rights a user has as a result of > their group memberships. A user who is a member of the checkuser group will > have the checkuser right as a result of this. Please see includes/User.php for > more details. > In my installed wiki (latest trunk), User::getRights() returns only the rights were given by the regular groups (for example, "delete" (which is granted by "sysop") but not "checkuser" (it is granted by "checkuser") or "userrights" (Makesysop is installed, so it is granted by "steward"). I will check it again.
(In reply to comment #6) > (In reply to comment #5) > > (In reply to comment #2) > > > Also, I still don't understand how does the page check the permission, if > > > $wgUser->getRights() returns only the rights given from the regular groups, and > > > $wgUser->getGroups() returns only the regular groups. > > > > User::getRights() returns an array of all the rights a user has as a result of > > their group memberships. A user who is a member of the checkuser group will > > have the checkuser right as a result of this. Please see includes/User.php for > > more details. > > > In my installed wiki (latest trunk), User::getRights() returns only the rights > were given by the regular groups (for example, "delete" (which is granted by > "sysop") but not "checkuser" (it is granted by "checkuser") or "userrights" > (Makesysop is installed, so it is granted by "steward"). I will check it again. Ah, I was indeed wrong, and now it works well. Let's go back to the discussion of the bug itself: > > However, why should it be so? Why should > > we hide the fact this extension is exist? Only users with the group "checkuser" > > can use it. We could also hide [[Special:Userrights]] this way, but why should > > we do that? > > CheckUser has been, and still is, considered a controversial extension used out > of sheer necessity. To newbies, there could be a misinterpretation of the name. > Some more experienced users still dislike it. We can cancel it, but of course we shouldn't do so because it should be used in some cases. It's better that newbies will know everything about this extension than they will know nothing but rumors. If we hide it, it's worse. Also, maybe some users don't like the fact that pages can be deleted. Should we hide the deletion log, etc.? > > However, hiding the special page makes it harder to use the page (how > > should the checkuser users know how is the page called?). > > They will be explicitly aware of it, if they have permission to use > it. How should they know about it? And if they know about it, the other users also can know about it.
Changed from unlisted to regular restricted listing in r13817. Will now show in the restricted special page list for users with CheckUser permission; as with all such pages it remains unlisted for users without permission to use it.
*** Bug 5692 has been marked as a duplicate of this bug. ***