Hi, all,
Some of you may be aware that my wiki experienced a security breach
this afternoon. The error was a minor lapse in assigning
$wgGroupPermissions['user'][] = 'centralauth-merge'. This seems like
an inocuous error to start with, but it had the following impact:
1. The value $wgGroupPermissions['user'][0] was assigned to
'centralauth-merge'.
2. In getting a user's rights, we use array_keys( array_filter(
$wgGroupPermissions[$group] ) ), which added a right 0 to the list.
3. PHP has a nasty little habit of letting 0 == 'some string'. Witness
the result:
$f = array( 'foo', 'bar',
'baz', 0, 'anne' );
print in_array( 'blah', $f );
1
4. User::isAllowed returned true for all rights if a user was in the
'user' group, because it uses in_array.
I spoke to the people in ##php, and supposedly, this is expected
behaviour. They suggested we use in_array with 'true' as the final
parameter, which uses ===.
I've done this in r40946. For those working on a revision BEFORE this
one, PLEASE be careful. Double-check that you've assigned group
permissions with $wgGroupPermissions['user']['right'] = true, rather
than the (wrong) version I've used.
Thanks,
--
Andrew Garrett