https://bugzilla.wikimedia.org/show_bug.cgi?id=36282
Web browser: ---
Bug #: 36282
Summary: Users may remove protection levels higher than those
they can grant
Product: MediaWiki
Version: 1.18.1
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: Unprioritized
Component: Page protection
AssignedTo: [email protected]
ReportedBy: [email protected]
Classification: Unclassified
Mobile Platform: ---
I noticed this bug when playing around with some of the settings on my work's
internal wiki. It's a little complicated to reproduce, but in a nutshell, if a
user is granted the 'protect' right, they can place pages under protection up
to and including the highest level they are able to themselves edit (or move or
whatever). This implies, and the documentation appears to state, that they
cannot *remove* any existing protection higher than what they are able to
place:
"If you set a level higher than sysops, that is, protection from sysop editing,
sysops cannot give a page that level of protection nor remove it, even with the
'protect' permission." -
http://www.mediawiki.org/wiki/Manual:$wgRestrictionLevels
Unfortunately, this is almost precisely what happened on my wiki. To duplicate:
1. In LocalSettings.php, add the following lines. These should replace the
default protection levels with one called "level1" and another "level2". It
also creates a new user group called "level1editor" that is allowed to edit
"level1" protected pages and place protection on pages up to "level1":
$wgRestrictionLevels = array('', 'level1', 'level2');
$wgGroupPermissions['level1editor']['level1'] = true;
$wgGroupPermissions['level1editor']['protect'] = true;
$wgGroupPermissions['sysop']['level1'] = true;
$wgGroupPermissions['sysop']['level2'] = true;
2. Log into a bureaucrat account. Give yourself +sysop and +level1editor.
3. Go to a random page and ensure you can issue all levels of protection. Give
the page "level2" protection.
4. Go back to Special:Userrights and remove your sysop flag.
5. Go back to the "level2" protected page; confirm you cannot edit it.
6. Open its protection settings. You should only see "Allow all users" and
"Require "level1" permission" listed as options.
7. Pick one and save the settings.
--> ERROR: You've just removed protection that you are not able to edit
through.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
