https://bugzilla.wikimedia.org/show_bug.cgi?id=69380
--- Comment #6 from Brad Jorsch <[email protected]> --- (In reply to Kunal Mehta (Legoktm) from comment #0) > Background: "superprotect" launched on de.wp which prevented admins from > editing the page, but they were still able to delete it and undelete it, > which then removed the protection status. While that's how the bug was discovered, when I heard "deleting and undeleting a page bypasses protection" I immediately thought "That's a security bug, and I probably know how to fix it." And also "Ugh, people posted a security bug on a public mailing list?" I've have written the same patch if the issue came in without attached drama, although I'd have properly attached it to the security bug in that case; here there didn't seem a point since it was already public. But because it did come with attached drama, people are over-analyzing everything and claiming hypothetical workflows are somehow super-important > Political issues aside, should we require users to be able to edit the page > before they can take an action upon it? > I don't believe that we should, and that userrights and the different > actions should be independent of each other. It's called "edit" protection, > and should only stop against edits. If we don't use the 'edit' protection for these other actions, then we'd need to add individual protections for every action. That'll be a big and potentially-confusing protect form, and we'll likely need to retroactively update existing protections, but it could work. I imagine JS-using admins will continue to mostly leave the "Unlock further protect options" checkbox checked. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
