git.heureux-cyclage.org - lhc/web/wiklou.git/commit

author	Gergő Tisza <tgr.huwiki@gmail.com>
	Thu, 1 Nov 2018 23:29:22 +0000 (16:29 -0700)
committer	Gergő Tisza <tgr.huwiki@gmail.com>
	Wed, 17 Jul 2019 23:09:12 +0000 (01:09 +0200)
commit	d8eaae539c9b6d5233f71f0b8719a8b2adc42e4f
tree	e2909e801cf61d2abe1fbe455262acf38b4681d2	tree \| snapshot
parent	5c771bda882791647922d00d39bf95b60bdad9ae	commit \| diff

Separate right for foreign user js redirects

Require a new editmyuserjsredirect permission for users to edit
Javascript redirects in their userspace when the redirect target
is not in their userspace (unless they have edituserjs and can
edit any user JS anyway). This is to prevent attacks where a
popular userscript has been moved into the system namespace or
another safe location but many users still load it through the
original userspace redirect, and the attacker manages to take
over the userspace by compromising the account or getting it
renamed.

Since this is only a concern on large community wikis, by
default all users have the editmyuserjsredirect permission.

Bug: T207750
Change-Id: I36a879d5da04cb6f49ed1bc40dbe144f6862c6a1
Depends-On: I072cf857c1fff4578402904aa9cb5a0c8833f16f

RELEASE-NOTES-1.34		diff \| blob \| history
includes/DefaultSettings.php		diff \| blob \| history
includes/Permissions/PermissionManager.php		diff \| blob \| history
includes/ServiceWiring.php		diff \| blob \| history
languages/i18n/en.json		diff \| blob \| history
languages/i18n/qqq.json		diff \| blob \| history
tests/phpunit/includes/Permissions/PermissionManagerTest.php		diff \| blob \| history