[MediaWiki-commits] [Gerrit] SECURITY: Require new right to change content model - change (mediawiki/core)

Mglaser (Code Review) Wed, 26 Nov 2014 17:02:49 -0800

Mglaser has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/176200


Change subject: SECURITY: Require new right to change content model
......................................................................

SECURITY: Require new right to change content model

Add the user right 'editcontentmodel', which is required to change the
content model while editing a Page.

Bug: 70901

Change-Id: I84bd1101e4c234b2db6f650de4a4edc4ca31488a
---
M includes/EditPage.php
M includes/User.php
M includes/api/ApiBase.php
M includes/api/ApiEditPage.php
M languages/messages/MessagesEn.php
M languages/messages/MessagesQqq.php
6 files changed, 27 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/00/176200/1

diff --git a/includes/EditPage.php b/includes/EditPage.php
index 16d9a5a..4dd8384 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -156,6 +156,12 @@
        const AS_IMAGE_REDIRECT_LOGGED = 234;
 
        /**
+        * Status: user tried to modify the content model, but is not allowed 
to do that
+        * ( User::isAllowed('editcontentmodel') == false )
+        */
+       const AS_NO_CHANGE_CONTENT_MODEL = 235;
+
+       /**
         * Status: can't parse content
         */
        const AS_PARSE_ERROR = 240;
@@ -1289,6 +1295,9 @@
                                $permission = $this->mTitle->isTalkPage() ? 
'createtalk' : 'createpage';
                                throw new PermissionsError( $permission );
 
+                       case self::AS_NO_CHANGE_CONTENT_MODEL:
+                               throw new PermissionsError( 'editcontentmodel' 
);
+
                        default:
                                // We don't recognize $status->value. The only 
way that can happen
                                // is if an extension hook aborted from inside 
ArticleSave.
@@ -1503,6 +1512,15 @@
                        }
                }
 
+               if ( $this->contentModel !== $this->mTitle->getContentModel()
+                       && !$wgUser->isAllowed( 'editcontentmodel' )
+               ) {
+                       $status->setResult( false, 
self::AS_NO_CHANGE_CONTENT_MODEL );
+                       wfProfileOut( __METHOD__ . '-checks' );
+                       wfProfileOut( __METHOD__ );
+                       return $status;
+               }
+
                if ( wfReadOnly() ) {
                        $status->fatal( 'readonlytext' );
                        $status->value = self::AS_READ_ONLY_PAGE;
diff --git a/includes/User.php b/includes/User.php
index 6232404..4c7a39d 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -122,6 +122,7 @@
                'deletelogentry',
                'deleterevision',
                'edit',
+               'editcontentmodel',
                'editinterface',
                'editprotected',
                'editmyoptions',
diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index ce6ecda..c1454e7 100644
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -1351,6 +1351,7 @@
                'permdenied-undelete' => array( 'code' => 'permissiondenied', 
'info' => "You don't have permission to restore deleted revisions" ),
                'createonly-exists' => array( 'code' => 'articleexists', 'info' 
=> "The article you tried to create has been created already" ),
                'nocreate-missing' => array( 'code' => 'missingtitle', 'info' 
=> "The article you tried to edit doesn't exist" ),
+               'cantchangecontentmodel' => array( 'code' => 
'cantchangecontentmodel', 'info' => "You don't have permission to change the 
content model of a page" ),
                'nosuchrcid' => array( 'code' => 'nosuchrcid', 'info' => "There 
is no change with rcid \"\$1\"" ),
                'protect-invalidaction' => array( 'code' => 
'protect-invalidaction', 'info' => "Invalid protection type \"\$1\"" ),
                'protect-invalidlevel' => array( 'code' => 
'protect-invalidlevel', 'info' => "Invalid protection level \"\$1\"" ),
diff --git a/includes/api/ApiEditPage.php b/includes/api/ApiEditPage.php
index bd61895..51c9efc 100644
--- a/includes/api/ApiEditPage.php
+++ b/includes/api/ApiEditPage.php
@@ -423,6 +423,9 @@
                        case EditPage::AS_NO_CREATE_PERMISSION:
                                $this->dieUsageMsg( 'nocreate-loggedin' );
 
+                       case EditPage::AS_NO_CHANGE_CONTENT_MODEL:
+                               $this->dieUsageMsg( 'cantchangecontentmodel' );
+
                        case EditPage::AS_BLANK_ARTICLE:
                                $this->dieUsageMsg( 'blankpage' );
 
diff --git a/languages/messages/MessagesEn.php 
b/languages/messages/MessagesEn.php
index 7b500f2..147ffcd 100644
--- a/languages/messages/MessagesEn.php
+++ b/languages/messages/MessagesEn.php
@@ -2114,6 +2114,7 @@
 'right-protect'               => 'Change protection levels and edit 
cascade-protected pages',
 'right-editprotected'         => 'Edit pages protected as 
"{{int:protect-level-sysop}}"',
 'right-editsemiprotected'     => 'Edit pages protected as 
"{{int:protect-level-autoconfirmed}}"',
+'right-editcontentmodel'      => 'Edit the content model of a page',
 'right-editinterface'         => 'Edit the user interface',
 'right-editusercssjs'         => "Edit other users' CSS and JavaScript files",
 'right-editusercss'           => "Edit other users' CSS files",
@@ -2190,6 +2191,7 @@
 'action-viewmywatchlist'      => 'view your watchlist',
 'action-viewmyprivateinfo'    => 'view your private information',
 'action-editmyprivateinfo'    => 'edit your private information',
+'action-editcontentmodel'     => 'edit the content model of a page',
 
 # Recent changes
 'nchanges'                          => '$1 {{PLURAL:$1|change|changes}}',
diff --git a/languages/messages/MessagesQqq.php 
b/languages/messages/MessagesQqq.php
index e201ad4..6aed268 100644
--- a/languages/messages/MessagesQqq.php
+++ b/languages/messages/MessagesQqq.php
@@ -3459,6 +3459,7 @@
 
 See also:
 * {{msg-mw|Right-editprotected}}',
+'right-editcontentmodel' => '{{doc-right|editcontentmodel}}',
 'right-editinterface' => '{{doc-right|editinterface}}',
 'right-editusercssjs' => '{{doc-right|editusercssjs}}',
 'right-editusercss' => '{{doc-right|editusercss}}
@@ -3558,6 +3559,7 @@
 {{Identical|View your watchlist}}',
 'action-viewmyprivateinfo' => '{{doc-action|viewmyprivateinfo}}',
 'action-editmyprivateinfo' => '{{doc-action|editmyprivateinfo}}',
+'action-editcontentmodel' => '{{doc-action|editcontentmodel}}',
 
 # Recent changes
 'nchanges' => 'Appears on enhanced watchlist and recent changes when page has 
more than one change on given date, linking to a diff of the changes.

-- 
To view, visit https://gerrit.wikimedia.org/r/176200
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I84bd1101e4c234b2db6f650de4a4edc4ca31488a
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_22
Gerrit-Owner: Mglaser <[email protected]>
Gerrit-Reviewer: CSteipp <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] SECURITY: Require new right to change content model - change (mediawiki/core)

Reply via email to