Extension talk:GroupPermissionsManager/ExtendedPermissions

There is several security bug in newest GroupPermissionsManager, in ExtendedPermissions.php, allowing access to history (and source of the page) to users which shouldn't have access to it.

Ive changed line:

if( $wgRequest->getVal('action') == 'history' && !$user->isAllowed('history') ) {

to:

if(( $wgRequest->getVal('action') == 'history' || $wgRequest->getVal('diff') != NULL || $wgRequest->getVal('oldid') != NULL) && !$user->isAllowed('history') ) {

And now it works - you can see it in action on WikiPasy.pl. I would be very grateful if you will add this patch in next version. 83.23.47.230 18:19, 8 January 2009 (UTC)
 * Try reading the documentation -- it's quite helpful. You'll notice that the history right is for viewing page history listings, the readold right controls diff pages and old revisions. -- Skiz zerz  21:32, 8 January 2009 (UTC)
 * And is there any option to allow viewing of history and readold, and dissallowing to make diffs? As you said this, i think now that "|| $wgRequest->getVal('diff') != NULL" should be somewhere in "viewsource" right. 83.4.230.7 11:52, 9 January 2009 (UTC)
 * Because diffs allow one to view old revisions, so it should be (and is) part of the readold right. I have yet to see a usage case where one would wish to allow viewing of diffs but disallow viewing of old revisions (or vice versa) -- it simply doesn't make any sense. And viewsource is the current page content, which has nothing to do with diffs OR old revisions. As such, I will not be modifying this extension to accommodate this feature request. If you want it to be a certain way on your own wiki, go ahead and modify the extension yourself, you seem to know what you're doing anyway. -- Skiz zerz  21:36, 9 January 2009 (UTC)

can't enable readold right
This is a great extension and solves a lot of problems, compared to editing user rights in localsettings.php.

I am having trouble finding the readold right - it needs to be enabled for sysop, but I can only see history, but cannot see/edit diffs.

Thanks in advance. Applicationswhisperer 00:35, 27 January 2009 (UTC)
 * If you can't find it in the Special:GroupPermissions page, then you need to re-add it via Special:SortPermissions in the Add permission box. Adding it there should make it visible again on Special:GroupPermissions, where you can then enable it for sysop. -- Skiz zerz  01:40, 27 January 2009 (UTC)