Hi, all,
Some of you may be aware that my wiki experienced a security breach this afternoon. The error was a minor lapse in assigning $wgGroupPermissions['user'][] = 'centralauth-merge'. This seems like an inocuous error to start with, but it had the following impact:
1. The value $wgGroupPermissions['user'][0] was assigned to 'centralauth-merge'. 2. In getting a user's rights, we use array_keys( array_filter( $wgGroupPermissions[$group] ) ), which added a right 0 to the list. 3. PHP has a nasty little habit of letting 0 == 'some string'. Witness the result:
$f = array( 'foo', 'bar', 'baz', 0, 'anne' ); print in_array( 'blah', $f );
1
4. User::isAllowed returned true for all rights if a user was in the 'user' group, because it uses in_array.
I spoke to the people in ##php, and supposedly, this is expected behaviour. They suggested we use in_array with 'true' as the final parameter, which uses ===.
I've done this in r40946. For those working on a revision BEFORE this one, PLEASE be careful. Double-check that you've assigned group permissions with $wgGroupPermissions['user']['right'] = true, rather than the (wrong) version I've used.
Thanks,