Extension talk:GroupPermissionsManager/ExtendedPermissions
Add topicThere is several security bug in newest GroupPermissionsManager, in ExtendedPermissions.php, allowing access to history (and source of the page) to users which shouldn't have access to it.
Ive changed line:
if( $wgRequest->getVal('action') == 'history' && !$user->isAllowed('history') ) {
to:
if(( $wgRequest->getVal('action') == 'history' || $wgRequest->getVal('diff') != NULL || $wgRequest->getVal('oldid') != NULL) && !$user->isAllowed('history') ) {
And now it works - you can see it in action on WikiPasy.pl. I would be very grateful if you will add this patch in next version. 83.23.47.230 18:19, 8 January 2009 (UTC)
- Try reading the documentation -- it's quite helpful. You'll notice that the history right is for viewing page history listings, the readold right controls diff pages and old revisions. --Skizzerz 21:32, 8 January 2009 (UTC)
- And is there any option to allow viewing of history and readold, and dissallowing to make diffs? As you said this, i think now that "|| $wgRequest->getVal('diff') != NULL" should be somewhere in "viewsource" right. 83.4.230.7 11:52, 9 January 2009 (UTC)
- Because diffs allow one to view old revisions, so it should be (and is) part of the readold right. I have yet to see a usage case where one would wish to allow viewing of diffs but disallow viewing of old revisions (or vice versa) -- it simply doesn't make any sense. And viewsource is the current page content, which has nothing to do with diffs OR old revisions. As such, I will not be modifying this extension to accommodate this feature request. If you want it to be a certain way on your own wiki, go ahead and modify the extension yourself, you seem to know what you're doing anyway. --Skizzerz 21:36, 9 January 2009 (UTC)
- And is there any option to allow viewing of history and readold, and dissallowing to make diffs? As you said this, i think now that "|| $wgRequest->getVal('diff') != NULL" should be somewhere in "viewsource" right. 83.4.230.7 11:52, 9 January 2009 (UTC)
can't enable readold right[edit]
This is a great extension and solves a lot of problems, compared to editing user rights in localsettings.php.
I am having trouble finding the readold right - it needs to be enabled for sysop, but I can only see history, but cannot see/edit diffs.
Thanks in advance. Applicationswhisperer 00:35, 27 January 2009 (UTC)
- If you can't find it in the Special:GroupPermissions page, then you need to re-add it via Special:SortPermissions in the Add permission box. Adding it there should make it visible again on Special:GroupPermissions, where you can then enable it for sysop. --Skizzerz 01:40, 27 January 2009 (UTC)
- That fixed it - readold was listed in Special:GroupPermissions, so I moved it to a new category and now it works - thanks much! Applicationswhisperer 17:35, 27 January 2009 (UTC)
- Still not working (...I mean it's not working again). I can see all rights in Special:GroupPermissions, and can see them in Special:ListGroupRights - both edit and readold are true. But I'm logged in as sysop, and cannot edit a page. The edit tab is not visible and appending '&action=edit' to the URL gives me this error:
- That fixed it - readold was listed in Special:GroupPermissions, so I moved it to a new category and now it works - thanks much! Applicationswhisperer 17:35, 27 January 2009 (UTC)
View source Document Management You do not have permission to edit pages, for the following reason: You are not allowed to execute the action you have requested. You can view and copy the source of this page:
Any ideas? Applicationswhisperer 19:27, 27 January 2009 (UTC)
- Hmm... I'll look into this, since this definitely sounds like a bug with the extension. --Skizzerz 21:18, 27 January 2009 (UTC)