Extension talk:GroupPermissionsManager/ExtendedPermissions

There is several security bug in newest GroupPermissionsManager, in ExtendedPermissions.php, allowing access to history (and source of the page) to users which shouldn't have access to it.

Ive changed line:

if( $wgRequest->getVal('action') == 'history' && !$user->isAllowed('history') ) {

to:

if(( $wgRequest->getVal('action') == 'history' || $wgRequest->getVal('diff') != NULL || $wgRequest->getVal('oldid') != NULL) && !$user->isAllowed('history') ) {

And now it works - you can see it in action on WikiPasy.pl. I would be very grateful if you will add this patch in next version. 83.23.47.230 18:19, 8 January 2009 (UTC)
 * Try reading the documentation -- it's quite helpful. You'll notice that the history right is for viewing page history listings, the readold right controls diff pages and old revisions. -- Skiz zerz  21:32, 8 January 2009 (UTC)
 * And is there any option to allow viewing of history and readold, and dissallowing to make diffs? As you said this, i think now that "|| $wgRequest->getVal('diff') != NULL" should be somewhere in "viewsource" right. 83.4.230.7 11:52, 9 January 2009 (UTC)
 * Because diffs allow one to view old revisions, so it should be (and is) part of the readold right. I have yet to see a usage case where one would wish to allow viewing of diffs but disallow viewing of old revisions (or vice versa) -- it simply doesn't make any sense. And viewsource is the current page content, which has nothing to do with diffs OR old revisions. As such, I will not be modifying this extension to accommodate this feature request. If you want it to be a certain way on your own wiki, go ahead and modify the extension yourself, you seem to know what you're doing anyway. -- Skiz zerz  21:36, 9 January 2009 (UTC)