From 1cbaa921589a1858bbf89221bef36c663f7fc7c0 Mon Sep 17 00:00:00 2001 From: MatmaRex Date: Wed, 24 Apr 2013 21:16:51 +0200 Subject: [PATCH] Add $wgCascadingRestrictionLevels A page can only be protected with cascading protection if the requested restriction level is included in this array. This replaces previously hard-coded values of 'sysop' and 'protect'. This is necessary, because if any protection could be cascading, users could who cannot normally protect pages could "protect" them by transcluding them on protected pages they are allowed to edit. Bug: 47617 Change-Id: I5f8bcc899b46d466161894606cd27bf3b8624bd0 --- RELEASE-NOTES-1.22 | 3 +++ includes/DefaultSettings.php | 15 +++++++++++++++ includes/ProtectionForm.php | 11 ++--------- includes/WikiPage.php | 13 +++++++++---- 4 files changed, 29 insertions(+), 13 deletions(-) diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22 index 07afffe3e8..ad12bf9cd1 100644 --- a/RELEASE-NOTES-1.22 +++ b/RELEASE-NOTES-1.22 @@ -15,6 +15,7 @@ production. activated; when $wgUseVFormCreateAccount is true, the redesign of Special:UserLogin/signup is activated. * $wgVectorUseIconWatch is now enabled by default. +* $wgCascadingRestrictionLevels was added. === New features in 1.22 === * (bug 44525) mediawiki.jqueryMsg can now parse (whitelisted) HTML elements and attributes. @@ -67,6 +68,8 @@ production. * mediawiki.log: Added log.warn wrapper (uses console.warn and console.trace). * mediawiki.log: Implemented log.deprecate. This method defines a property and uses ES5 getter/setter to emit a warning when they are used. +* $wgCascadingRestrictionLevels was added, allowing one to specify restriction levels + which can be cascading (previously 'sysop' was hard-coded as the only one). === Bug fixes in 1.22 === * Disable Special:PasswordReset when $wgEnableEmail. Previously one could still diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 5330caf048..46ca7edbae 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -4044,6 +4044,21 @@ $wgRestrictionTypes = array( 'create', 'edit', 'move', 'upload' ); */ $wgRestrictionLevels = array( '', 'autoconfirmed', 'sysop' ); +/** + * Restriction levels that can be used with cascading protection + * + * A page can only be protected with cascading protection if the + * requested restriction level is included in this array. + * + * This is intended to prevent abuse - if any protection could be + * cascading, users could who cannot normally protect pages could + * "protect" them by transcluding them on protected pages they are + * allowed to edit. + * + * 'sysop' is quietly rewritten to 'protect' for backwards compatibility. + */ +$wgCascadingRestrictionLevels = array( 'sysop' ); + /** * Set the minimum permissions required to edit pages in each * namespace. If you list more than one permission, a user must diff --git a/includes/ProtectionForm.php b/includes/ProtectionForm.php index 9439b90c92..0ac874964e 100644 --- a/includes/ProtectionForm.php +++ b/includes/ProtectionForm.php @@ -614,16 +614,9 @@ class ProtectionForm { } function buildCleanupScript() { - global $wgRestrictionLevels, $wgOut; + global $wgRestrictionLevels, $wgCascadingRestrictionLevels, $wgOut; - $cascadeableLevels = array(); - foreach ( $wgRestrictionLevels as $key ) { - if ( User::groupHasPermission( $key, 'protect' ) - || $key == 'protect' - ) { - $cascadeableLevels[] = $key; - } - } + $cascadeableLevels = $wgCascadingRestrictionLevels; $options = array( 'tableId' => 'mwProtectSet', 'labelText' => wfMessage( 'protect-unchain-permissions' )->plain(), diff --git a/includes/WikiPage.php b/includes/WikiPage.php index f2c9c298d3..da6fff370e 100644 --- a/includes/WikiPage.php +++ b/includes/WikiPage.php @@ -2221,7 +2221,7 @@ class WikiPage implements Page, IDBAccessObject { * @return Status */ public function doUpdateRestrictions( array $limit, array $expiry, &$cascade, $reason, User $user ) { - global $wgContLang; + global $wgContLang, $wgCascadingRestrictionLevels; if ( wfReadOnly() ) { return Status::newFatal( 'readonlytext', wfReadOnlyReason() ); @@ -2344,12 +2344,17 @@ class WikiPage implements Page, IDBAccessObject { return Status::newGood(); } - // Only restrictions with the 'protect' right can cascade... - // Otherwise, people who cannot normally protect can "protect" pages via transclusion + // Only certain restrictions can cascade... Otherwise, users who cannot normally protect pages + // could "protect" them by transcluding them on protected pages they are allowed to edit. $editrestriction = isset( $limit['edit'] ) ? array( $limit['edit'] ) : $this->mTitle->getRestrictions( 'edit' ); + $cascadingRestrictionLevels = $wgCascadingRestrictionLevels; + if ( in_array( 'sysop', $cascadingRestrictionLevels ) ) { + $cascadingRestrictionLevels[] = 'protect'; // backwards compatibility + } + // The schema allows multiple restrictions - if ( !in_array( 'protect', $editrestriction ) && !in_array( 'sysop', $editrestriction ) ) { + if ( !array_intersect( $editrestriction, $cascadingRestrictionLevels ) ) { $cascade = false; } -- 2.20.1