From d3f99b08110eaa86e45f7776eec784c3f108e102 Mon Sep 17 00:00:00 2001
From: Tim Starling <tstarling@users.mediawiki.org>
Date: Sun, 31 Aug 2008 13:03:30 +0000
Subject: [PATCH] Make it a lot harder to unprotect the MediaWiki namespace. In
 response to cs.wikinews.org screwup.

---
 RELEASE-NOTES                | 3 +++
 includes/DefaultSettings.php | 3 ++-
 includes/Setup.php           | 9 +++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index a214f15cfa..717c3d6c5f 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -40,6 +40,9 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
   is true per default, but can be set to false to allow any title.
 * $wgSpamRegex may now be an array of multiple regular expressions.
 * $wgAjaxSearch has been removed; use $wgEnableMWSuggest instead.
+* Editing the MediaWiki namespace is now unconditionally restricted to people 
+  with the editinterface right, configuring this in $wgNamespaceProtection 
+  is not required.
 
 === New features in 1.14 ===
 
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 139db60394..e774f83f4f 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -1244,9 +1244,10 @@ $wgRestrictionLevels = array( '', 'autoconfirmed', 'sysop' );
  * Set the minimum permissions required to edit pages in each
  * namespace.  If you list more than one permission, a user must
  * have all of them to edit pages in that namespace.
+ *
+ * Note: NS_MEDIAWIKI is implicitly restricted to editinterface.
  */
 $wgNamespaceProtection = array();
-$wgNamespaceProtection[ NS_MEDIAWIKI ] = array( 'editinterface' );
 
 /**
  * Pages in namespaces in this array can not be used as templates.
diff --git a/includes/Setup.php b/includes/Setup.php
index 158b1c0efb..ecc6deff73 100644
--- a/includes/Setup.php
+++ b/includes/Setup.php
@@ -58,6 +58,15 @@ if ( empty( $wgFileStore['deleted']['directory'] ) ) {
 	$wgFileStore['deleted']['directory'] = "{$wgUploadDirectory}/deleted";
 }
 
+/**
+ * Unconditional protection for NS_MEDIAWIKI since otherwise it's too easy for a 
+ * sysadmin to set $wgNamespaceProtection incorrectly and leave the wiki insecure. 
+ *
+ * Note that this is the definition of editinterface and it can be granted to 
+ * all users if desired.
+ */
+$wgNamespaceProtection[NS_MEDIAWIKI] = 'editinterface';
+
 /**
  * Initialise $wgLocalFileRepo from backwards-compatible settings
  */
-- 
2.20.1