* The $wgPasswordSenderName setting, ignored since 1.23 by MediaWiki and almost
all extensions, is no longer set at all. Instead, you can modify the system
message `emailsender`.
+* A new configuration setting, $wgRawHtmlMessages, is added, for listing
+ messages which are displayed as raw HTML.
=== New features in 1.32 ===
* (T112474) Generalized the ResourceLoader mechanism for overriding modules
*/
$wgCSPReportOnlyHeader = false;
+/**
+ * List of messages which might contain raw HTML.
+ * Extensions should add their messages here. The list is used for access control:
+ * changing messages listed here will require editsitecss and editsitejs rights.
+ *
+ * @since 1.32
+ * @var string[]
+ */
+$wgRawHtmlMessages = [
+ 'copyright',
+ 'history_copyright',
+ 'googlesearch',
+ 'feedback-terms',
+ 'feedback-termsofuse',
+];
+
/**
* Mapping of event channels (or channel categories) to EventRelayer configuration.
*
);
}
+ /**
+ * Is this a message which can contain raw HTML?
+ *
+ * @return bool
+ * @since 1.32
+ */
+ public function isRawHtmlMessage() {
+ global $wgRawHtmlMessages;
+
+ if ( $this->inNamespace( NS_MEDIAWIKI ) ) {
+ return false;
+ }
+ $message = lcfirst( $this->getRootText() );
+ return in_array( $message, $wgRawHtmlMessages, true );
+ }
+
/**
* Is this a talk page of some sort?
*
$error = [ 'sitejsonprotected', $action ];
} elseif ( $this->isSiteJsConfigPage() && !$user->isAllowed( 'editsitejs' ) ) {
$error = [ 'sitejsprotected', $action ];
+ } elseif ( $this->isRawHtmlMessage() ) {
+ // Raw HTML can be used to deploy CSS or JS so require rights for both.
+ if ( !$user->isAllowed( 'editsitejs' ) ) {
+ $error = [ 'sitejsprotected', $action ];
+ } elseif ( !$user->isAllowed( 'editsitecss' ) ) {
+ $error = [ 'sitecssprotected', $action ];
+ }
}
if ( $error ) {