| daniel created this task. daniel added projects: Wikidata, MediaWiki-extensions-WikibaseRepository, Security-General. Herald added a subscriber: Aklapper. |
As per T170673: Make ChangeOps define required permissions, ChangeOps expose the permissions (actions) they require, but we do not always check them.
In particular, Statement-related API modules like wbsetclaim, wbsetclaimvalue, wbsetqualifier, and wbsetreference do not check the actions declared by the respective ChangeOp. Only the generic checks for edit permissions are performed by EditEntity::checkEditPermissions().
Other API modules do this: ModifyEntity::checkPermissions covers the term-related API modules as well as wbsetsitelink and the generic wbeditentity API module.
Note that this is presently not a problem in practice, since we currently do not have special permissions defined for modifying Statements. But it's an inconsistency that may lead to nasty surprises down the road.
Cc: Aklapper, daniel, Lahi, Gq86, GoranSMilovanovic, QZanden, Wikidata-bugs, aude, csteipp, Mbch331, Jay8g
_______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
