| daniel created this task. daniel added projects: Wikidata, Wikidata-Sprint. Herald added a subscriber: Aklapper. |
TASK DESCRIPTION
Permission for entity creation is currently not checked consistently. We do:
- require 'property-create' for SpecialNewProperty, by specifying it as required permission in the parent constructor.
- EditEntity uses EntityPermissionChecker to check the "edit" permission.
- EditEntity::addRequiredPermission() is never called
- EntityContentFactory also requires 'createpage' if the Entity's ID is null (!)
- Api/EditPage::getRequiredPermissions() returns 'edit'; If the entity ID is null (new entity), it also returns 'createpage' and 'property-create'
This shows that permission checks are distributed all over the code, and partially inconsistent.
Also, some API modules that allow the creation of entities may not check all necessary permission.
Necessary permissions should be determined and checked in a central place. EditEntity seems to be the right place for this, since all entity edits go through there, and it has enough information about the user.
NOTE: this does not currently pose a security risk on wikidata.org, since a) the 'edit' and 'createpage' permissions are always checked and b) only Properties require an extra permission and c) property creation is only possible via wbeditentity, which does check 'property-create'.
TASK DETAIL
EMAIL PREFERENCES
To: daniel
Cc: Aklapper, daniel, GoranSMilovanovic, QZanden, Izno, Wikidata-bugs, aude, Mbch331
Cc: Aklapper, daniel, GoranSMilovanovic, QZanden, Izno, Wikidata-bugs, aude, Mbch331
_______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
