Topic on Extension talk:CategoryTree

Permissions issue using version c7333ea on mediawiki 1.23

5
Hoggle42 (talkcontribs)

I've an issue with some users with restricted (read only) access being unable to expand any node, seeing the tree wherever it is rendered, but getting a load failure, try again later message whatever node they try to expand.

I suspect it is an incompatibility with my own extension Extension:NSWhitelist but haven't been able to figure out what, yet.

I've ruled out browser issues, and a user with full rights can use it fine. Can someone tell me what user rights are needed to expand a node? Must you be able to read a particular namespace?

Hoggle42 (talkcontribs)

Have narrowed it down to a read permission issue - whitelistread is not sufficient for this url:

index.php?skin=vector&
uselang=en&
debug=true&
action=ajax&
rs=efCategoryTreeAjaxWrapper&
rsargs%5B%5D=Customer_Pages&
rsargs%5B1%5D%5Bmode%5D=10&
rsargs%5B1%5D%5Bhideprefix%5D=20&
rsargs%5B1%5D%5Bshowcount%5D=true&
rsargs%5B1%5D%5Bnamespaces%5D%5B%5D=12&
rsargs%5B1%5D%5Bnamespaces%5D%5B%5D=14&
rsargs%5B1%5D%5Bnamespaces%5D%5B%5D=100&
rsargs%5B%5D=json

The user has read access to the three indicated namespaces, but without a title there appears to be no way to grant access to this url

Hoggle42 (talkcontribs)

ajax dispatcher checks

( !User::isEveryoneAllowed( 'read' ) && !$wgUser->isAllowed( 'read' ) )

and throws an error if this is not the case - this means the TitleReadWhitelist is not checked, as no reference to the title is given.

So, if the user does not have global read access, they can't use categorytree.

hacked the core code to be (bad fix)

( !User::isEveryoneAllowed( 'read' ) && !$wgUser->isAllowed( 'read' )  && !$this->func_name == 'efCategoryTreeAjaxWrapper')
Nemo bis (talkcontribs)

Does userCan( 'read' ) work any better?

Hoggle42 (talkcontribs)

that's a title method - no title in the request.

The problem is that titlereadwhitelist gives permissions on a per-title basis (in this case to user groups) and the ajax request only cares about the user's global permissions. I could use canRead if the request included a title.

Reply to "Permissions issue using version c7333ea on mediawiki 1.23"