Jim Hu wrote:
Thanks, this is exactly the kind of feedback I need. Getting someone who is more experienced than I am to actually look at the code is a big help.
On May 16, 2008, at 4:48 AM, DanTMan wrote:
On second look it appears the extension is not suitable yet.
The extension does not handle user rights permissions correctly. For 1.12> it won't work correctly because it does not handle $wgAddGroups, $wgRemoveGroups, $wgGroupsAddToSelf, and $wgGroupsRemoveFromSelf.
I could use some help on these; we're not running 1.12 in production yet (we're slow), and I just did the recoding of this version in a development copy of 1.12. So I'm not familiar with these. Is there a link or something in the distribution I should read?
^_^ First stop shop for MediaWiki documentation... MediaWiki itself... I seriously recommend a good IDE with autocomplete and a grep like search function. (If you're at a loss Eclipse with PHP or Aptana Studio with PHP work, NetBeans is supposed to have one but it's not released yet afaik, least I couldn't find it easily)
The absolute best thing for finding out how MediaWiki deals with user rights assigning would be to look in includes/SpecialUserrights.php that's Special:Userrights and when doing a user rights extension you're basically trying to mimic what it does but change around the interface.
Actually... Honestly, I think we should have a $wgUser->canAddGroup( ... ); and $wgUser->canRemoveGroup( ... ); set of helper functions to simplify userrights extensions in a way that won't cause damage when userrights are changed in the backend in later versions.
And for 1.11 it is a security issue, because for $wgAddGroups and $wgRemoveGroups to work a user needs the userrights permission. On 1.11 this will allow them to change restricted rights, however on 1.11 if your extension is enabled it will allow users with limited permission to change rights, to use that form to alter rights freely.
It also looks like a security hazard in general. Rights are not being checked in the correct places, namely the permissions saving. And it is relying on the checkboxes not showing up as the security feature. In other words, it's got a permissions injection vector. And in simple terms... I could probably right now go to any site running the extension, do a little bit of HTML editing on the rights forms, and edit any permission I want on your site without needing the rights at all. And yes, that does go as far as removing the rights for all your users, promoting myself to bot/sysop/bureaucrat and putting a flat ban on every user. You know, the kind of damage that'll take raw database editing to fix.
Eek! This sounds like the highest priority to fix.
Yup... Your setup of the special page is to. 'createuser' isn't a good permission to base on. If anything it would be 'userrights' but you know what the issue with that is. For the most part that would likely be nothing. And you would do isAllowed, isAnon, isBlocked, readOnly, and checks on the global variables in the start of the execute function. http://svn.nadir-point.com/viewvc/mediawiki-extensions/trunk/WikiVid/Special... The way I do the isAllowed, isBlocked, and readOnly checks is basically the standard afaik. I took the pieces from some of the more maintained extensions.
And there's some hardcoding of group names, and it's likely that checkboxes are not going to be rendered correctly when anything other than the default groups are used.
The handling of time also appears to be done in a way which is not cross-database compatible, and there is raw use of DISTINCT which I believe we have as a select option.
I was looking for that and obviously failed to find how to do that.
Might not be that easy to spot, but if you take a look inside of Database::select(); which appears to be Database::selectSQLText() now (^_^ Yay... finally, the ability to use the helper functions to construct complex cross-database compatible sql queries) it calls makeSelectOptions with the $options you pass and if you check there you'll see you can set array( 'DISTINCT' ) in the options parameter.
Is there anything you want to fix, or to any external parties want me to commit so they can fix up the extension?
I can take a crack at fixing some of this, but it sounds like I need some help with best practices.
Jim
ps: in_array('userrights',$wgUser->getRights()); would best be written as $wgUser->isAllowed('userrights');
That should be an easy one.
~Daniel Friesen(Dantman) of: -The Gaiapedia (http://gaia.wikia.com) -Wikia ACG on Wikia.com (http://wikia.com/wiki/Wikia_ACG) -and Wiki-Tools.com (http://wiki-tools.com)
DanTMan wrote:
Remind me to commit that a bit later. Or maybe I'll try and remember.
~Daniel Friesen(Dantman) of: -The Gaiapedia (http://gaia.wikia.com) -Wikia ACG on Wikia.com (http://wikia.com/wiki/Wikia_ACG) -and Wiki-Tools.com (http://wiki-tools.com)
Jim Hu wrote:
This is to announce a new release of UserRightsList.
http://www.mediawiki.org/wiki/Extension:UserRightsList
This extension provides an alternative to the standard User rights management special page. • Bureaucrats can view users as a list instead of searching for a specific user name • Users with account creation privileges can view limited rights for other users they created, if user creation logging is enabled • The user list can be filtered by group membership, username (with % wildcards), and/or date ranges for user_registration (by month).
This version mainly converts the database interaction to use $dbr-
select instead of $dbr->query, so I hope it will solve various
database problems that have been reported. I also added MIT license info (so DanTMan can add this to svn) and a Russian translation submitted at Mediawiki.org.
I've tested it on 1.12.0. Hope it's useful to others.
Jim Hu Associate Professor Dept. of Biochemistry and Biophysics 2128 TAMU Texas A&M Univ. College Station, TX 77843-2128 979-862-4054
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
===================================== Jim Hu Associate Professor Dept. of Biochemistry and Biophysics 2128 TAMU Texas A&M Univ. College Station, TX 77843-2128 979-862-4054
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
~Daniel Friesen(Dantman) of: -The Gaiapedia (http://gaia.wikia.com) -Wikia ACG on Wikia.com (http://wikia.com/wiki/Wikia_ACG) -and Wiki-Tools.com (http://wiki-tools.com)