Page MenuHomePhabricator
Create Task
Maniphest T362536

Cannot access deleted contents while in a namespace-protected namespace that cannot be edited
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To
Anterdc99
Authored By
Wilf233
Apr 15 2024, 2:16 PM
Tags
Referenced Files
Unknown Object (File)
Apr 16 2024, 4:09 AM
Unknown Object (File)
Apr 15 2024, 3:46 PM
F46776222: image.png
Apr 15 2024, 2:16 PM
F46776026: image.png
Apr 15 2024, 2:16 PM
Subscribers
Aklapper
Anterdc99
Dianliang233
Wilf233

Description

Steps to replicate the issue:

  • Log in Chinese Minecraft Wiki in an account with "patrollers", "users" and "autoconfirmed" user groups only. (This user group contains user rights deletedhistory, deletedtext, and undelete, but without the rights to edit MediaWiki namespace.) You can see the user group rights here.
  • View deleted pages in MediaWiki namespace. Here is an example.

What happens?:
Access denied, and the message says:
You do not have permission to view metadata of deleted history entries, for the following reason:
The action you have requested is limited to users in one of the groups: Sysadmins, patrollers, CATS, Administrators.

What should have happened instead?:
Can access the deleted contents, but cannot restore them.

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):
1.41.1

Other information (browser name/version, screenshots, etc.):

image.png (540×2 px, 119 KB)

image.png (210×674 px, 20 KB)

Details

SubjectRepoBranchLines +/-
PermissionManagerTest: Add test for NSProtection excluded actionsmediawiki/coremaster+64 -1
[WIP] PermissionManagerTest: Add test for NSProtection excluded actionsmediawiki/coreREL1_42+66 -1
PermissionManager: Allow some readonly user rights bypass NSProtectionmediawiki/coreREL1_39+5 -1
PermissionManager: Allow some readonly user rights bypass NSProtectionmediawiki/coreREL1_40+5 -1
PermissionManager: Allow some readonly user rights bypass NSProtectionmediawiki/coreREL1_41+5 -1
PermissionManager: Allow some readonly user rights bypass NSProtectionmediawiki/coreREL1_42+5 -1
[WIP] PermissionManagerTest: Add test for NSProtection excluded actionsmediawiki/coreREL1_42+36 -1
PermissionManager: Allow some readonly user rights bypass NSProtectionmediawiki/coremaster+5 -1
Customize query in gerrit

Related Objects

Event Timeline

Wilf233 created this task.Apr 15 2024, 2:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 15 2024, 2:16 PM
Wilf233 attached a referenced file: F46776026: image.png. (Show Details)Apr 15 2024, 2:18 PM
Aklapper added projects: MediaWiki-General, Voice & Tone.Apr 15 2024, 2:20 PM
Anterdc99 subscribed.EditedApr 15 2024, 3:39 PM

Can confirm in MediaWiki 1.43.0-alpha (c67d907), seems caused by the permission checker can not properly handle namespace protection.

The undelete link also shows, might related to this.

Shizhao added a project: Chinese-Sites.Apr 16 2024, 2:58 AM
Dianliang233 subscribed.Apr 16 2024, 5:29 AM
gerritbot added a comment.Apr 16 2024, 4:28 PM

Change #1020285 had a related patch set uploaded (by Anterdc99; author: Anterdc99):

[mediawiki/core@master] PermissionManager: Allow some readonly user rights bypass NSProtection

https://gerrit.wikimedia.org/r/1020285

gerritbot added a project: Patch-For-Review.Apr 16 2024, 4:28 PM
Winston_Sung moved this task from Backlog to MediaWiki core on the Chinese-Sites board.May 5 2024, 1:05 AM
Pppery renamed this task from System message "Badaccess-groups" contradiction to Inaccurate error message given when trying to view deleted history for a page one can't edit.May 11 2024, 4:59 PM
Pppery added a project: MediaWiki-Page-deletion.
Pppery removed a project: MediaWiki-General.
gerritbot added a comment.May 21 2024, 4:19 PM

Change #1020285 merged by jenkins-bot:

[mediawiki/core@master] PermissionManager: Allow some readonly user rights bypass NSProtection

https://gerrit.wikimedia.org/r/1020285

Maintenance_bot removed a project: Patch-For-Review.May 21 2024, 4:31 PM
gerritbot added a comment.May 21 2024, 4:43 PM

Change #1034537 had a related patch set uploaded (by Anterdc99; author: Anterdc99):

[mediawiki/core@REL1_42] PermissionManager: Allow some readonly user rights bypass NSProtection

https://gerrit.wikimedia.org/r/1034537

gerritbot added a project: Patch-For-Review.May 21 2024, 4:43 PM
gerritbot added a comment.May 21 2024, 4:53 PM

Change #1034541 had a related patch set uploaded (by Anterdc99; author: Anterdc99):

[mediawiki/core@REL1_41] PermissionManager: Allow some readonly user rights bypass NSProtection

https://gerrit.wikimedia.org/r/1034541

gerritbot added a comment.May 21 2024, 4:58 PM

Change #1034542 had a related patch set uploaded (by Anterdc99; author: Anterdc99):

[mediawiki/core@REL1_40] PermissionManager: Allow some readonly user rights bypass NSProtection

https://gerrit.wikimedia.org/r/1034542

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.7; 2024-05-28).May 21 2024, 5:00 PM
gerritbot added a comment.May 21 2024, 5:06 PM

Change #1034544 had a related patch set uploaded (by Anterdc99; author: Anterdc99):

[mediawiki/core@REL1_39] PermissionManager: Allow some readonly user rights bypass NSProtection

https://gerrit.wikimedia.org/r/1034544

Anterdc99 added a comment.May 21 2024, 5:07 PM

Is OK if I change the title to reflect the actual commit?

Anterdc99 claimed this task.May 21 2024, 5:54 PM
gerritbot added a comment.May 22 2024, 8:31 PM

Change #1035025 had a related patch set uploaded (by Anterdc99; author: Anterdc99):

[mediawiki/core@master] PermissionManagerTest: Add test for NSProtection excluded actions

https://gerrit.wikimedia.org/r/1035025

gerritbot added a comment.May 23 2024, 10:32 AM

Change #1035352 had a related patch set uploaded (by Anterdc99; author: Anterdc99):

[mediawiki/core@REL1_42] PermissionManagerTest: Add test for NSProtection excluded actions

https://gerrit.wikimedia.org/r/1035352

gerritbot added a comment.May 24 2024, 9:55 AM

Change #1035736 had a related patch set uploaded (by Anterdc99; author: Anterdc99):

[mediawiki/core@REL1_42] [WIP] PermissionManagerTest: Add test for NSProtection excluded actions

https://gerrit.wikimedia.org/r/1035736

gerritbot added a comment.May 24 2024, 9:57 AM

Change #1035352 abandoned by Anterdc99:

[mediawiki/core@REL1_42] [WIP] PermissionManagerTest: Add test for NSProtection excluded actions

Reason:

https://gerrit.wikimedia.org/r/1035352

Wilf233 renamed this task from Inaccurate error message given when trying to view deleted history for a page one can't edit to Allow some readonly user rights bypass NSProtection.May 25 2024, 5:11 AM
Wilf233 updated the task description. (Show Details)
Anterdc99 updated the task description. (Show Details)May 25 2024, 5:16 AM
Anterdc99 renamed this task from Allow some readonly user rights bypass NSProtection to Cannot access deleted contents while in a namespace-protected namespace that cannot be edited.May 25 2024, 5:21 AM
Anterdc99 updated the task description. (Show Details)
gerritbot added a comment.May 27 2024, 8:49 AM

Change #1034537 abandoned by Anterdc99:

[mediawiki/core@REL1_42] PermissionManager: Allow some readonly user rights bypass NSProtection

Reason:

cancel backporting per user's comment

https://gerrit.wikimedia.org/r/1034537

gerritbot added a comment.May 27 2024, 8:49 AM

Change #1034541 abandoned by Anterdc99:

[mediawiki/core@REL1_41] PermissionManager: Allow some readonly user rights bypass NSProtection

Reason:

cancel backporting per user's comment

https://gerrit.wikimedia.org/r/1034541

gerritbot added a comment.May 27 2024, 8:49 AM

Change #1034542 abandoned by Anterdc99:

[mediawiki/core@REL1_40] PermissionManager: Allow some readonly user rights bypass NSProtection

Reason:

cancel backporting per user's comment

https://gerrit.wikimedia.org/r/1034542

gerritbot added a comment.May 27 2024, 8:49 AM

Change #1034544 abandoned by Anterdc99:

[mediawiki/core@REL1_39] PermissionManager: Allow some readonly user rights bypass NSProtection

Reason:

cancel backporting per user's comment

https://gerrit.wikimedia.org/r/1034544

gerritbot added a comment.May 27 2024, 8:49 AM

Change #1035736 abandoned by Anterdc99:

[mediawiki/core@REL1_42] [WIP] PermissionManagerTest: Add test for NSProtection excluded actions

Reason:

cancel backporting per user's comment

https://gerrit.wikimedia.org/r/1035736

gerritbot added a comment.May 28 2024, 6:10 PM

Change #1035025 merged by jenkins-bot:

[mediawiki/core@master] PermissionManagerTest: Add test for NSProtection excluded actions

https://gerrit.wikimedia.org/r/1035025

Maintenance_bot removed a project: Patch-For-Review.May 28 2024, 6:30 PM
ReleaseTaggerBot edited projects, added MW-1.43-notes (1.43.0-wmf.8; 2024-06-04); removed MW-1.43-notes (1.43.0-wmf.7; 2024-05-28).May 28 2024, 7:00 PM
Anterdc99 removed Anterdc99 as the assignee of this task.May 29 2024, 1:57 AM
Anterdc99 closed this task as Resolved.May 29 2024, 6:22 PM
Anterdc99 claimed this task.
Anterdc99 removed projects: Chinese-Sites, Voice & Tone.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits