From: Ryan Schmidt Date: Sat, 24 May 2008 16:49:05 +0000 (+0000) Subject: * fixing bug 14241: pages can no longer be protected to levels you are not in X-Git-Tag: 1.31.0-rc.0~47405 X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/exercices/supprimer.php?a=commitdiff_plain;h=0f1cbdc80fd4563f4cb4fb902384843ef9fef981;p=lhc%2Fweb%2Fwiklou.git * fixing bug 14241: pages can no longer be protected to levels you are not in --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 44b38c518c..284929a56c 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -299,6 +299,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN * (bug 14199) Fix deletion form for image redirect pages * (bug 14220) Disabling $wgCheckFileExtensions now works without also disabling $wgStrictFileExtensions +* (bug 14241) Pages can no longer be protected to levels you are not in === API changes in 1.13 === diff --git a/includes/ProtectionForm.php b/includes/ProtectionForm.php index b04d661cca..b77891cf01 100644 --- a/includes/ProtectionForm.php +++ b/includes/ProtectionForm.php @@ -72,6 +72,15 @@ class ProtectionForm { foreach( $this->mApplicableTypes as $action ) { $val = $wgRequest->getVal( "mwProtect-level-$action" ); if( isset( $val ) && in_array( $val, $wgRestrictionLevels ) ) { + //prevent users from setting levels that they cannot later unset + if( $val == 'sysop' ) { + //special case, rewrite sysop to either protect and editprotected + if( !$wgUser->isAllowed('protect') && !$wgUser->isAllowed('editprotected') ) + continue; + } else { + if( !$wgUser->isAllowed($val) ) + continue; + } $this->mRestrictions[$action] = $val; } } @@ -315,7 +324,7 @@ class ProtectionForm { } function buildSelector( $action, $selected ) { - global $wgRestrictionLevels; + global $wgRestrictionLevels, $wgUser; $id = 'mwProtect-level-' . $action; $attribs = array( 'id' => $id, @@ -326,6 +335,15 @@ class ProtectionForm { $out = Xml::openElement( 'select', $attribs ); foreach( $wgRestrictionLevels as $key ) { + //don't let them choose levels above their own (aka so they can still unprotect and edit the page). but only when the form isn't disabled + if( $key == 'sysop' ) { + //special case, rewrite sysop to protect and editprotected + if( !$wgUser->isAllowed('protect') && !$wgUser->isAllowed('editprotected') && $this->disabled ) + continue; + } else { + if( !$wgUser->isAllowed($key) && !$this->disabled ) + continue; + } $out .= Xml::option( $this->getOptionLabel( $key ), $key, $key == $selected ); } $out .= Xml::closeElement( 'select' );