Robert Vogel has submitted this change and it was merged.
Change subject: SECURITY: Users can no longer desysop themselves
......................................................................
SECURITY: Users can no longer desysop themselves
It is no longer possible to revoke one's own sysop rights. Also, mass
group editing now checks for correct permissions.
Change-Id: I86d3af23415dad756ece6538b1b2fa524473c6df
---
M UserManager/UserManager.class.php
M UserManager/UserManager.setup.php
M UserManager/i18n/de-formal.json
M UserManager/i18n/de.json
M UserManager/i18n/en.json
M UserManager/i18n/qqq.json
M UserManager/resources/BS.UserManager/panel/Manager.js
7 files changed, 74 insertions(+), 30 deletions(-)
Approvals:
Robert Vogel: Verified; Looks good to me, approved
diff --git a/UserManager/UserManager.class.php
b/UserManager/UserManager.class.php
index 9a6ff62..032b9df 100644
--- a/UserManager/UserManager.class.php
+++ b/UserManager/UserManager.class.php
@@ -188,6 +188,9 @@
* @return string json encoded response
*/
public static function addUser( $sUsername, $sPassword, $sRePassword,
$sEmail, $sRealname, $aGroups = array() ) {
+
+ $res = $resDelGroups = $resInsGroups = $resERealUser = false;
+
if ( wfReadOnly() ) {
global $wgReadOnly;
return FormatJson::encode( array(
@@ -352,6 +355,8 @@
* @return string json encoded response
*/
public static function editUser( $sUsername, $sPassword, $sRePassword,
$sEmail, $sRealname, $aGroups = array() ) {
+ $res = $resDelGroups = $resInsGroups = $resERealUser = false;
+
if ( wfReadOnly() ) {
global $wgReadOnly;
return FormatJson::encode( array(
@@ -373,7 +378,7 @@
$aAnswer['success'] = false;
$aAnswer['message'][] = wfMessage(
'bs-usermanager-idnotexist' )->plain(); // id_noexist = 'This user ID does not
exist'
}
- if ( !$oUser->isValidPassword( $sPassword ) ) {
+ if ( !empty( $sPassword ) && !$oUser->isValidPassword(
$sPassword ) ) {
$aAnswer['success'] = false;
$aAnswer['errors'][] = array(
'id' => 'pass',
@@ -399,6 +404,19 @@
$aAnswer['errors'][] = array(
'id' => 'email',
'message' => wfMessage(
'bs-usermanager-invalid-email-gen' )->plain()
+ );
+ }
+
+ global $wgUser;
+ if (
+ $wgUser->getId() == $oUser->getId() &&
+ in_array( 'sysop', $wgUser->getEffectiveGroups() ) &&
+ !in_array( 'sysop', $aGroups )
+ ) {
+ $aAnswer['success'] = false;
+ $aAnswer['errors'][] = array(
+ 'id' => 'groups',
+ 'message' => wfMessage(
'bs-usermanager-no-self-desysop' )->plain()
);
}
@@ -538,6 +556,8 @@
}
public static function setUserGroups( $aUserIds, $aGroups ) {
+ $res = $resDelGroups = $resInsGroups = $resERealUser = false;
+
$aAnswer = array(
'success' => true,
'errors' => array(),
@@ -555,29 +575,44 @@
$aAnswer['message'][] = wfMessage(
'bs-wikiadmin-notallowed' )->plain();
}
- $dbw = wfGetDB( DB_MASTER );
- $resDelGroups = $dbw->delete( 'user_groups',
- array(
- 'ug_user' => $aUserIds
- )
- );
+ global $wgUser;
+ if (
+ in_array( $wgUser->getId(), $aUserIds ) &&
+ in_array( 'sysop', $wgUser->getEffectiveGroups() ) &&
+ !in_array( 'sysop', $aGroups )
+ ) {
+ $aAnswer['success'] = false;
+ $aAnswer['errors'][] = array(
+ 'id' => 'groups',
+ 'message' => wfMessage(
'bs-usermanager-no-self-desysop' )->plain()
+ );
+ }
- $resInsGroups = true;
- if( is_array( $aGroups ) ) {
- foreach ( $aGroups as $sGroup ) {
- if ( in_array( $sGroup, self::$excludegroups )
) {
- continue;
- }
- foreach( $aUserIds as $iUserId ) {
- $resInsGroups = $dbw->insert(
- 'user_groups',
- array(
- 'ug_user' =>
(int)$iUserId,
- 'ug_group' =>
addslashes( $sGroup )
- )
- );
- if( $resInsGroups === false ) {
- break;
+ if ( $aAnswer['success'] ) {
+ $dbw = wfGetDB( DB_MASTER );
+ $resDelGroups = $dbw->delete( 'user_groups',
+ array(
+ 'ug_user' => $aUserIds
+ )
+ );
+
+ $resInsGroups = true;
+ if( is_array( $aGroups ) ) {
+ foreach ( $aGroups as $sGroup ) {
+ if ( in_array( $sGroup,
self::$excludegroups ) ) {
+ continue;
+ }
+ foreach( $aUserIds as $iUserId ) {
+ $resInsGroups = $dbw->insert(
+ 'user_groups',
+ array(
+
'ug_user' => (int)$iUserId,
+
'ug_group' => addslashes( $sGroup )
+ )
+ );
+ if( $resInsGroups === false ) {
+ break;
+ }
}
}
}
diff --git a/UserManager/UserManager.setup.php
b/UserManager/UserManager.setup.php
index b86b037..c6d8705 100644
--- a/UserManager/UserManager.setup.php
+++ b/UserManager/UserManager.setup.php
@@ -23,7 +23,8 @@
'bs-usermanager-headergroups',
'bs-usermanager-titledeleteuser',
'bs-usermanager-confirmdeleteuser',
- 'bs-usermanager-groups-more'
+ 'bs-usermanager-groups-more',
+ 'bs-usermanager-no-self-desysop'
),
'localBasePath' => __DIR__ . '/resources',
'remoteExtPath' => 'BlueSpiceExtensions/UserManager/resources'
diff --git a/UserManager/i18n/de-formal.json b/UserManager/i18n/de-formal.json
index b89f7d4..320e38f 100644
--- a/UserManager/i18n/de-formal.json
+++ b/UserManager/i18n/de-formal.json
@@ -9,5 +9,6 @@
"bs-usermanager-invalid-pwd": "Das Passwort ist unzulässig.",
"bs-usermanager-invalid-realname": "Der echte Name ist unzulässig.",
"bs-usermanager-invalid-uname": "Der Benutzername ist unzulässig.",
- "bs-usermanager-confirmdeleteuser": "Sind Sie sicher, dass Sie
{{PLURAL:$1|diesen|diese $1}} Benutzer löschen wollen?"
+ "bs-usermanager-confirmdeleteuser": "Sind Sie sicher, dass Sie
{{PLURAL:$1|diesen|diese $1}} Benutzer löschen wollen?",
+ "bs-usermanager-no-self-desysop" : "Sie können sich nicht selbst das
Sysop recht nehmen."
}
diff --git a/UserManager/i18n/de.json b/UserManager/i18n/de.json
index 879f108..4d6830f 100644
--- a/UserManager/i18n/de.json
+++ b/UserManager/i18n/de.json
@@ -30,5 +30,6 @@
"bs-usermanager-labelpasswordcheck": "Passwort bestätigen",
"bs-usermanager-titledeleteuser": "Benutzer löschen",
"bs-usermanager-confirmdeleteuser": "Bist du sicher, dass du
{{PLURAL:$1|diesen|diese $1}} Benutzer löschen willst?",
- "bs-usermanager-groups-more": "... mehr"
+ "bs-usermanager-groups-more": "... mehr",
+ "bs-usermanager-no-self-desysop" : "Du kannst dir nicht selbst das
Sysop recht nehmen."
}
diff --git a/UserManager/i18n/en.json b/UserManager/i18n/en.json
index 972a1aa..4aa1d26 100644
--- a/UserManager/i18n/en.json
+++ b/UserManager/i18n/en.json
@@ -29,5 +29,6 @@
"bs-usermanager-labelpasswordcheck": "Confirm password",
"bs-usermanager-titledeleteuser": "Delete user",
"bs-usermanager-confirmdeleteuser": "Are you sure, you want to delete
{{PLURAL:$1|this user|these $1 users}}?",
- "bs-usermanager-groups-more": "... more"
+ "bs-usermanager-groups-more": "... more",
+ "bs-usermanager-no-self-desysop" : "You cannot take away your own sysop
right."
}
diff --git a/UserManager/i18n/qqq.json b/UserManager/i18n/qqq.json
index 3bc4b3b..3cbde3f 100644
--- a/UserManager/i18n/qqq.json
+++ b/UserManager/i18n/qqq.json
@@ -30,5 +30,6 @@
"bs-usermanager-labelpasswordcheck": "Label for confirm
password\\n{{Identical|Confirm password}}",
"bs-usermanager-titledeleteuser": "Window title for delete
user\\n{{Identical|Delete user}}",
"bs-usermanager-confirmdeleteuser": "Text for are you sure, you want to
delete {{PLURAL:$1|this user|these $1 users}}?\\n $1 is the number of users
which will be deleted - use for PLURAL distinction.",
- "bs-usermanager-groups-more": "Text of a link that expands the list of
groups\n{{Identical|More}}"
+ "bs-usermanager-groups-more": "Text of a link that expands the list of
groups\n{{Identical|More}}",
+ "bs-usermanager-no-self-desysop" : "Text for the error message if a
user tries to desysop themselves."
}
diff --git a/UserManager/resources/BS.UserManager/panel/Manager.js
b/UserManager/resources/BS.UserManager/panel/Manager.js
index 6629638..242ff4f 100644
--- a/UserManager/resources/BS.UserManager/panel/Manager.js
+++ b/UserManager/resources/BS.UserManager/panel/Manager.js
@@ -326,7 +326,11 @@
method: 'post',
success: function( response, opts ) {
var responseObj = Ext.decode(
response.responseText );
- this.renderMsgSuccess( responseObj );
+ if ( responseObj.success === true ) {
+ this.renderMsgSuccess( responseObj );
+ } else {
+ this.renderMsgFailure( responseObj );
+ }
}
});
},
@@ -339,7 +343,7 @@
} else if ( this.active === 'edit' ) {
this.dlgUserEdit.show();
} else if ( this.active === 'edit-multi-groups' ) {
- this.dlgUserGroupsEdit.show();
+ this.dlgUserGroups.show();
}
},
renderMsgSuccess: function( responseObj ) {
--
To view, visit https://gerrit.wikimedia.org/r/177768
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I86d3af23415dad756ece6538b1b2fa524473c6df
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/BlueSpiceExtensions
Gerrit-Branch: master
Gerrit-Owner: Mglaser <[email protected]>
Gerrit-Reviewer: Pigpen <[email protected]>
Gerrit-Reviewer: Raimond Spekking <[email protected]>
Gerrit-Reviewer: Robert Vogel <[email protected]>
Gerrit-Reviewer: Siebrand <[email protected]>
Gerrit-Reviewer: Smuggli <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
