User "Aaron Schulz" posted a comment on MediaWiki.r92364. Full URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/92364#c20459 Commit summary:
First steps for bug 14801: add backend support for per-namespace permissions to core. This extends $wgGroupPermissions syntax from $wgGroupPermissions[$group][$right] = bool to $wgGroupPermissions[$group][$right] = array( NS_X => bool ). This is safely backwards compatible; the booleans are still fully supported, and any unset namespace will default to false. * User::getRights(), User::isAllowed() and User::getGroupPermissions now optionally accept a namespace parameter. If not set, it will check whether the user has the right for all namespaces. * Anything that uses Title::getUserPermissionsErrorsInternal() automatically supports per-namespace permissions. This includes Title::getUserPermissionsErrors and Title::(quick)UserCan. * Fix tests that set User::mRights The next step would be to change all User::isAllowed() to Title::quickUserCan or pass the namespace to User::isAllowed(). Comment: I don't like how easy it is to have privilege escalation. Say you can't do action X to pages in namespace Y, but you can move pages from that namespace to something else, then one can circumvent the restrictions. I also wonder what other pitfalls exist. _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
