Extension talk:GroupPermissionsManager/ExtendedPermissions

There is several security bug in newest GroupPermissionsManager, in ExtendedPermissions.php, allowing access to history (and source of the page) to users which shouldn't have access to it.

Ive changed line:

if( $wgRequest->getVal('action') == 'history' && !$user->isAllowed('history') ) {

to:

if(( $wgRequest->getVal('action') == 'history' || $wgRequest->getVal('diff') != NULL || $wgRequest->getVal('oldid') != NULL) && !$user->isAllowed('history') ) {

And now it works - you can see it in action on WikiPasy.pl. I would be very grateful if you will add this patch in next version. 83.23.47.230 18:19, 8 January 2009 (UTC)
 * Try reading the documentation -- it's quite helpful. You'll notice that the history right is for viewing page history listings, the readold right controls diff pages and old revisions. -- Skiz zerz  21:32, 8 January 2009 (UTC)
 * And is there any option to allow viewing of history and readold, and dissallowing to make diffs? As you said this, i think now that "|| $wgRequest->getVal('diff') != NULL" should be somewhere in "viewsource" right. 83.4.230.7 11:52, 9 January 2009 (UTC)