Hello,
I am writing an extension, that edits articles.
Surprisingly, the funciton article::doEdit does not check user rights.
I set $wgGroupPermissions['*']['edit'] = false; so only logged in users can edit.
Using my extension, even anons can now edit.
So I tried to prevent this with $x_title = title::newFromText('Main page'); $allowed = $x_title->userCan('edit'); but this always returns true. $x_title->userCan('move'); works fine.
For curiosity I set: $wgReadOnly = "Update in progress. Wiki is set to read only."; so the whole wiki is locked.
But even then the extension can edit articles and userCan returns true.
MW 1.10, trunk about a week old.
Any hints, or is it a bug?
GunterS
Just a guess - but I think this is on purpose. You might want to look in EditPage.php to see if there's something in there you can extend instead.
-- Jim R. Wilson (jimbojw)
On 3/22/07, Gunter News2006@freenet.de wrote:
Hello,
I am writing an extension, that edits articles.
Surprisingly, the funciton article::doEdit does not check user rights.
I set $wgGroupPermissions['*']['edit'] = false; so only logged in users can edit.
Using my extension, even anons can now edit.
So I tried to prevent this with $x_title = title::newFromText('Main page'); $allowed = $x_title->userCan('edit'); but this always returns true. $x_title->userCan('move'); works fine.
For curiosity I set: $wgReadOnly = "Update in progress. Wiki is set to read only."; so the whole wiki is locked.
But even then the extension can edit articles and userCan returns true.
MW 1.10, trunk about a week old.
Any hints, or is it a bug?
GunterS
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
On 22/03/07, Gunter News2006@freenet.de wrote:
Surprisingly, the funciton article::doEdit does not check user rights. Any hints, or is it a bug?
No, it's not a bug; Article::doEdit() is a function which operates at a level below the editor - it's not intended to check user permissions, or block status, etc. This is left to the caller, e.g. EditPage.php (or maintenance scripts, which don't need to check these items).
To add a permission check, use the User::isAllowed() method, executing on the global $wgUser.
Rob Church
Rob Church schrieb:
On 22/03/07, Gunter News2006@freenet.de wrote:
Surprisingly, the funciton article::doEdit does not check user rights. Any hints, or is it a bug?
No, it's not a bug; Article::doEdit() is a function which operates at a level below the editor - it's not intended to check user permissions, or block status, etc. This is left to the caller, e.g. EditPage.php (or maintenance scripts, which don't need to check these items).
My question was misleading, I found
$allowed = $x_title->userCan('edit');
returning true could be considered a bug, if $wgUser->isAllowed('edit') returns false.
function userCan could be expanded by something like this
// will also fix bug 5391, so user which can not edit will be presented with a "view sourcecode" message. Especially helpful on wikis where a user can not be acquired. if( $action == 'edit' && !( $wgUser->isAllowed( 'edit' ) ) ) { wfProfileOut( $fname ); return false; }
if( $action == 'create' && !( $wgUser->isAllowed( 'create' ) ) ) { wfProfileOut( $fname ); return false; }
// global database lock if( $wgReadOnly ) { wfProfileOut( $fname ); return false; }
This would make it easier for developers, because checking userCan will be used for namespace protection also, so checking User::isAllowed does not seem to be suffiant anymore.
GunterS
mediawiki-l@lists.wikimedia.org