jenkins-bot has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/531589 )

Change subject: Check a user's rights before checking its group memberships ......................................................................

Check a user's rights before checking its group memberships

The current version of the code checks to see if a user is in the sysop group. This is wrong, because other groups may also have the right to delete/undelete/proected/block/unblock. Instead, it should make sure the bot user has the right through any of its group memberships, before falling back to the backward-compliant strategy that is based on user groups.

Bug: T229293 Bug: T189126 Bug: T122705 Bug: T119335 Bug: T75545 Change-Id: Ie729511867340f38de24e28e55bef1d49c1d6b99 --- M pywikibot/site.py 1 file changed, 9 insertions(+), 6 deletions(-)

Approvals: Xqt: Looks good to me, approved Dalba: Looks good to me, but someone else must approve jenkins-bot: Verified

diff --git a/pywikibot/site.py b/pywikibot/site.py index 22bcc27..4b8e9b5 100644 --- a/pywikibot/site.py +++ b/pywikibot/site.py @@ -1303,7 +1303,6 @@ keyword argument 'as_group'. @type group: str ('user' or 'sysop') @param right: The rights the logged in user should have. - Not supported yet and thus ignored.

@return: method decorator """ @@ -1314,12 +1313,16 @@ raise UserRightsError('Site {} has been closed. Only steward ' 'can perform requested action.' .format(self.sitename)) + if right is not None: + if right in self.userinfo['rights']: + return if grp == 'user': self.login(False) elif grp == 'sysop': self.login(True) else: raise Exception('Not implemented') + return fn(self, *args, **kwargs)

if not __debug__: @@ -5638,7 +5641,7 @@ 'Revision may not exist or was already undeleted.' } # other errors shouldn't occur because of pre-submission checks

- @must_be(group='sysop') + @must_be(group='sysop', right='delete') @deprecate_arg('summary', 'reason') def deletepage(self, page, reason): """Delete page from the wiki. Requires appropriate privilege level. @@ -5676,7 +5679,7 @@ finally: self.unlock_page(page)

- @must_be(group='sysop') + @must_be(group='sysop', right='undelete') @deprecate_arg('summary', 'reason') def undelete_page(self, page, reason, revisions=None): """Undelete page from the wiki. Requires appropriate privilege level. @@ -5749,7 +5752,7 @@ # implemented in b73b5883d486db0e9278ef16733551f28d9e096d return set(self.siteinfo.get('restrictions')['levels'])

- @must_be(group='sysop') + @must_be(group='sysop', right='protect') @deprecate_arg('summary', 'reason') def protect(self, page, protections, reason, expiry=None, **kwargs): """(Un)protect a wiki page. Requires administrator status. @@ -5907,7 +5910,7 @@

yield result['patrol']

- @must_be(group='sysop') + @must_be(group='sysop', right='block') def blockuser(self, user, expiry, reason, anononly=True, nocreate=True, autoblock=True, noemail=False, reblock=False, allowusertalk=False): @@ -5965,7 +5968,7 @@ data = req.submit() return data

- @must_be(group='sysop') + @must_be(group='sysop', right='block') def unblockuser(self, user, reason=None): """ Remove the block for the user.