jenkins-bot merged this change.
Check a user's rights before checking its group memberships
The current version of the code checks to see if a user is in the
sysop group. This is wrong, because other groups may also have the
right to delete/undelete/proected/block/unblock. Instead, it should
make sure the bot user has the right through any of its group
memberships, before falling back to the backward-compliant strategy
that is based on user groups.
Bug: T229293
Bug: T189126
Bug: T122705
Bug: T119335
Bug: T75545
Change-Id: Ie729511867340f38de24e28e55bef1d49c1d6b99
---
M pywikibot/site.py
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/pywikibot/site.py b/pywikibot/site.py
index 22bcc27..4b8e9b5 100644
--- a/pywikibot/site.py
+++ b/pywikibot/site.py
@@ -1303,7 +1303,6 @@
keyword argument 'as_group'.
@type group: str ('user' or 'sysop')
@param right: The rights the logged in user should have.
- Not supported yet and thus ignored.
@return: method decorator
"""
@@ -1314,12 +1313,16 @@
raise UserRightsError('Site {} has been closed. Only steward '
'can perform requested action.'
.format(self.sitename))
+ if right is not None:
+ if right in self.userinfo['rights']:
+ return
if grp == 'user':
self.login(False)
elif grp == 'sysop':
self.login(True)
else:
raise Exception('Not implemented')
+
return fn(self, *args, **kwargs)
if not __debug__:
@@ -5638,7 +5641,7 @@
'Revision may not exist or was already undeleted.'
} # other errors shouldn't occur because of pre-submission checks
- @must_be(group='sysop')
+ @must_be(group='sysop', right='delete')
@deprecate_arg('summary', 'reason')
def deletepage(self, page, reason):
"""Delete page from the wiki. Requires appropriate privilege level.
@@ -5676,7 +5679,7 @@
finally:
self.unlock_page(page)
- @must_be(group='sysop')
+ @must_be(group='sysop', right='undelete')
@deprecate_arg('summary', 'reason')
def undelete_page(self, page, reason, revisions=None):
"""Undelete page from the wiki. Requires appropriate privilege level.
@@ -5749,7 +5752,7 @@
# implemented in b73b5883d486db0e9278ef16733551f28d9e096d
return set(self.siteinfo.get('restrictions')['levels'])
- @must_be(group='sysop')
+ @must_be(group='sysop', right='protect')
@deprecate_arg('summary', 'reason')
def protect(self, page, protections, reason, expiry=None, **kwargs):
"""(Un)protect a wiki page. Requires administrator status.
@@ -5907,7 +5910,7 @@
yield result['patrol']
- @must_be(group='sysop')
+ @must_be(group='sysop', right='block')
def blockuser(self, user, expiry, reason, anononly=True, nocreate=True,
autoblock=True, noemail=False, reblock=False,
allowusertalk=False):
@@ -5965,7 +5968,7 @@
data = req.submit()
return data
- @must_be(group='sysop')
+ @must_be(group='sysop', right='block')
def unblockuser(self, user, reason=None):
"""
Remove the block for the user.
To view, visit change 531589. To unsubscribe, or for help writing mail filters, visit settings.