iBet uBet web content aggregator. Adding the entire web to your favor.
iBet uBet web content aggregator. Adding the entire web to your favor.



Link to original content: https://phabricator.wikimedia.org/T354460
⚓ T354460 purge actions are affected by permission check via $wgNamespaceProtection or config pages (.js/.css)
Page MenuHomePhabricator
Create Task
Maniphest T354460

purge actions are affected by permission check via $wgNamespaceProtection or config pages (.js/.css)
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

or

What happens?:
The permission check is to restrict:
Without a sysop account the warning/text "This page provides interface text for the software on this wiki, and is protected to prevent abuse. To add or change translations for all wikis, please use [https://translatewiki.net/ translatewiki.net], the MediaWiki localisation project." is shown

Since the use of Authority for ratelimit (T310476 ) in Action API's action=purge (26456e5b) or index.php (07a9c87b) the purge action is affected by unrelated permission checks
I have seen it for namespace protection (like MediaWiki namespace) and protection of config pages (js/css) of users, like common.js.
This is at least a behaviour change/regression or a wanted breaking change.

What should have happened instead?:
Allow the purge as it was before or document the new permission check. Implicit rights like purge are designed to work for ratelimit only, according to the comment in code:

Implicit rights are defined to allow rate limits to be imposed on permissions

Software version (skip for WMF-hosted wikis like Wikipedia): master

Details

SubjectRepoBranchLines +/-
Use Authority::authorizeAction for implicit purge/linkpurge rightmediawiki/coremaster+7 -15
Customize query in gerrit

Related Objects

Event Timeline

Umherirrender created this task.Jan 5 2024, 11:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 5 2024, 11:16 PM
Umherirrender mentioned this in T354461: Permission warnings on Action API action=purge&forcelinkupdate= results in skipping the remaining titles from the request.Jan 5 2024, 11:22 PM
Pppery subscribed.Jan 6 2024, 12:22 AM

This seems correct to me as is. Why should you be able to purge a page you can't edit?

Umherirrender added a comment.Jan 6 2024, 12:30 AM
In T354460#9438896, @Pppery wrote:

This seems correct to me as is. Why should you be able to purge a page you can't edit?

That is not how purges works before the change. If that is the new behaviour, maybe I should find a good place to document that.

On the other side I can purge the enwp main page, but I cannot edit it - https://en.wikipedia.org/wiki/Special:ApiSandbox#action=purge&format=json&titles=Main%20Page&formatversion=2,
so it's not about all protections/permissions (like page protections from sysops)

NoOnEtHeMaStA added a commit: rMEXTf658c3375869: Update git submodules.Jan 7 2024, 9:15 PM
Aklapper removed a commit: rMEXTf658c3375869: Update git submodules.Jan 7 2024, 9:25 PM
Umherirrender added a subscriber: daniel.Jan 10 2024, 8:33 PM
Umherirrender mentioned this in T351729: Bot1058 is unable to perform a link update using the API.Jan 25 2024, 6:10 PM
Tgr added a project: MediaWiki-Engineering.Jan 26 2024, 5:25 PM
Tgr subscribed.

Tagging MediaWiki-Engineering - a predecessor team broke this so we should probably fix it.

gerritbot added a comment.Jan 26 2024, 10:29 PM

Change 993195 had a related patch set uploaded (by Umherirrender; author: Umherirrender):

[mediawiki/core@master] Use Authority::authorizeAction for implicit purge/linkpurge right

https://gerrit.wikimedia.org/r/993195

gerritbot added a project: Patch-For-Review.Jan 26 2024, 10:29 PM
daniel added a comment.Jan 27 2024, 5:11 PM
In T354460#9491269, @Tgr wrote:

Tagging MediaWiki-Engineering - a predecessor team broke this so we should probably fix it.

Right, that way me, sorry about that. And thanks for the fix, @Umherirrender!

gerritbot added a comment.Jan 29 2024, 2:34 PM

Change 993195 merged by jenkins-bot:

[mediawiki/core@master] Use Authority::authorizeAction for implicit purge/linkpurge right

https://gerrit.wikimedia.org/r/993195

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.16; 2024-01-30).Jan 29 2024, 3:00 PM
Maintenance_bot removed a project: Patch-For-Review.Jan 29 2024, 3:30 PM
Umherirrender closed this task as Resolved.Jan 29 2024, 5:40 PM
Umherirrender claimed this task.
Wbm1058 mentioned this in T354042: Forward X-Wikimedia-Debug header to MediaWiki jobs.Jun 5 2024, 1:22 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits