Extension talk:GroupPermissionsManager/ExtendedPermissions

There is several security bug in newest GroupPermissionsManager, in ExtendedPermissions.php, allowing access to history (and source of the page) to users which shouldn't have access to it.

Ive changed line:

if( $wgRequest->getVal('action') == 'history' && !$user->isAllowed('history') ) {

to:

if(( $wgRequest->getVal('action') == 'history' || $wgRequest->getVal('diff') != NULL || $wgRequest->getVal('oldid') != NULL) && !$user->isAllowed('history') ) {

And now it works - you can see it in action on WikiPasy.pl. I would be very grateful if you will add this patch in next version. 83.23.47.230 18:19, 8 January 2009 (UTC)