Mglaser has uploaded a new change for review. https://gerrit.wikimedia.org/r/176200
Change subject: SECURITY: Require new right to change content model ...................................................................... SECURITY: Require new right to change content model Add the user right 'editcontentmodel', which is required to change the content model while editing a Page. Bug: 70901 Change-Id: I84bd1101e4c234b2db6f650de4a4edc4ca31488a --- M includes/EditPage.php M includes/User.php M includes/api/ApiBase.php M includes/api/ApiEditPage.php M languages/messages/MessagesEn.php M languages/messages/MessagesQqq.php 6 files changed, 27 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/00/176200/1 diff --git a/includes/EditPage.php b/includes/EditPage.php index 16d9a5a..4dd8384 100644 --- a/includes/EditPage.php +++ b/includes/EditPage.php @@ -156,6 +156,12 @@ const AS_IMAGE_REDIRECT_LOGGED = 234; /** + * Status: user tried to modify the content model, but is not allowed to do that + * ( User::isAllowed('editcontentmodel') == false ) + */ + const AS_NO_CHANGE_CONTENT_MODEL = 235; + + /** * Status: can't parse content */ const AS_PARSE_ERROR = 240; @@ -1289,6 +1295,9 @@ $permission = $this->mTitle->isTalkPage() ? 'createtalk' : 'createpage'; throw new PermissionsError( $permission ); + case self::AS_NO_CHANGE_CONTENT_MODEL: + throw new PermissionsError( 'editcontentmodel' ); + default: // We don't recognize $status->value. The only way that can happen // is if an extension hook aborted from inside ArticleSave. @@ -1503,6 +1512,15 @@ } } + if ( $this->contentModel !== $this->mTitle->getContentModel() + && !$wgUser->isAllowed( 'editcontentmodel' ) + ) { + $status->setResult( false, self::AS_NO_CHANGE_CONTENT_MODEL ); + wfProfileOut( __METHOD__ . '-checks' ); + wfProfileOut( __METHOD__ ); + return $status; + } + if ( wfReadOnly() ) { $status->fatal( 'readonlytext' ); $status->value = self::AS_READ_ONLY_PAGE; diff --git a/includes/User.php b/includes/User.php index 6232404..4c7a39d 100644 --- a/includes/User.php +++ b/includes/User.php @@ -122,6 +122,7 @@ 'deletelogentry', 'deleterevision', 'edit', + 'editcontentmodel', 'editinterface', 'editprotected', 'editmyoptions', diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php index ce6ecda..c1454e7 100644 --- a/includes/api/ApiBase.php +++ b/includes/api/ApiBase.php @@ -1351,6 +1351,7 @@ 'permdenied-undelete' => array( 'code' => 'permissiondenied', 'info' => "You don't have permission to restore deleted revisions" ), 'createonly-exists' => array( 'code' => 'articleexists', 'info' => "The article you tried to create has been created already" ), 'nocreate-missing' => array( 'code' => 'missingtitle', 'info' => "The article you tried to edit doesn't exist" ), + 'cantchangecontentmodel' => array( 'code' => 'cantchangecontentmodel', 'info' => "You don't have permission to change the content model of a page" ), 'nosuchrcid' => array( 'code' => 'nosuchrcid', 'info' => "There is no change with rcid \"\$1\"" ), 'protect-invalidaction' => array( 'code' => 'protect-invalidaction', 'info' => "Invalid protection type \"\$1\"" ), 'protect-invalidlevel' => array( 'code' => 'protect-invalidlevel', 'info' => "Invalid protection level \"\$1\"" ), diff --git a/includes/api/ApiEditPage.php b/includes/api/ApiEditPage.php index bd61895..51c9efc 100644 --- a/includes/api/ApiEditPage.php +++ b/includes/api/ApiEditPage.php @@ -423,6 +423,9 @@ case EditPage::AS_NO_CREATE_PERMISSION: $this->dieUsageMsg( 'nocreate-loggedin' ); + case EditPage::AS_NO_CHANGE_CONTENT_MODEL: + $this->dieUsageMsg( 'cantchangecontentmodel' ); + case EditPage::AS_BLANK_ARTICLE: $this->dieUsageMsg( 'blankpage' ); diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php index 7b500f2..147ffcd 100644 --- a/languages/messages/MessagesEn.php +++ b/languages/messages/MessagesEn.php @@ -2114,6 +2114,7 @@ 'right-protect' => 'Change protection levels and edit cascade-protected pages', 'right-editprotected' => 'Edit pages protected as "{{int:protect-level-sysop}}"', 'right-editsemiprotected' => 'Edit pages protected as "{{int:protect-level-autoconfirmed}}"', +'right-editcontentmodel' => 'Edit the content model of a page', 'right-editinterface' => 'Edit the user interface', 'right-editusercssjs' => "Edit other users' CSS and JavaScript files", 'right-editusercss' => "Edit other users' CSS files", @@ -2190,6 +2191,7 @@ 'action-viewmywatchlist' => 'view your watchlist', 'action-viewmyprivateinfo' => 'view your private information', 'action-editmyprivateinfo' => 'edit your private information', +'action-editcontentmodel' => 'edit the content model of a page', # Recent changes 'nchanges' => '$1 {{PLURAL:$1|change|changes}}', diff --git a/languages/messages/MessagesQqq.php b/languages/messages/MessagesQqq.php index e201ad4..6aed268 100644 --- a/languages/messages/MessagesQqq.php +++ b/languages/messages/MessagesQqq.php @@ -3459,6 +3459,7 @@ See also: * {{msg-mw|Right-editprotected}}', +'right-editcontentmodel' => '{{doc-right|editcontentmodel}}', 'right-editinterface' => '{{doc-right|editinterface}}', 'right-editusercssjs' => '{{doc-right|editusercssjs}}', 'right-editusercss' => '{{doc-right|editusercss}} @@ -3558,6 +3559,7 @@ {{Identical|View your watchlist}}', 'action-viewmyprivateinfo' => '{{doc-action|viewmyprivateinfo}}', 'action-editmyprivateinfo' => '{{doc-action|editmyprivateinfo}}', +'action-editcontentmodel' => '{{doc-action|editcontentmodel}}', # Recent changes 'nchanges' => 'Appears on enhanced watchlist and recent changes when page has more than one change on given date, linking to a diff of the changes. -- To view, visit https://gerrit.wikimedia.org/r/176200 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I84bd1101e4c234b2db6f650de4a4edc4ca31488a Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_22 Gerrit-Owner: Mglaser <gla...@hallowelt.biz> Gerrit-Reviewer: CSteipp <cste...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits