On Wed, May 28, 2008 at 8:22 AM, werdna@svn.wikimedia.org wrote:
// We expect at least one permissions error, because we're trying to do an action on a specialpage.return count($this->getTitle()->getUserPermissionsErrors( 'centralauth-merge', $user ))<=1;
This is horrible. Why is it that we use a whitelist of allowed actions for special pages instead of a blacklist?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Simetrical wrote:
On Wed, May 28, 2008 at 8:22 AM, werdna@svn.wikimedia.org wrote:
// We expect at least one permissions error, because we're trying to do an action on a specialpage.return count($this->getTitle()->getUserPermissionsErrors( 'centralauth-merge', $user ))<=1;This is horrible. Why is it that we use a whitelist of allowed actions for special pages instead of a blacklist?
Because it's easier to whitelist a few known actions than to blacklist quadrillions of possible character combinations?
Not sure what you're getting at... :)
- -- brion
On Wed, May 28, 2008 at 12:25 PM, Brion Vibber brion@wikimedia.org wrote:
Because it's easier to whitelist a few known actions than to blacklist quadrillions of possible character combinations?
Not sure what you're getting at... :)
My question is why we *do* blacklist things. If the core software doesn't know that 'squizzle' is a prohibited action for special pages, why should it assume that it is? It should default to permitting it, as the default is to permit all actions. If whatever extension adds that action decides that it should be prohibited for special pages, it can explicitly use a hook to prohibit it. This is the same as how it works for all other (non-special) pages.
Also, this particular case seems to illustrate why we should have made getUserPermissionsErrors() a User method, not a Title method, IMO, as I suggested when this was all being reworked. Permissions errors are always related to a user, but (as in this case) not necessarily to any particular page.
Simetrical wrote:
On Wed, May 28, 2008 at 12:25 PM, Brion Vibber brion@wikimedia.org wrote:
Because it's easier to whitelist a few known actions than to blacklist quadrillions of possible character combinations?
Not sure what you're getting at... :)
My question is why we *do* blacklist things. If the core software doesn't know that 'squizzle' is a prohibited action for special pages, why should it assume that it is? It should default to permitting it, as the default is to permit all actions. If whatever extension adds that action decides that it should be prohibited for special pages, it can explicitly use a hook to prohibit it. This is the same as how it works for all other (non-special) pages.
Also, this particular case seems to illustrate why we should have made getUserPermissionsErrors() a User method, not a Title method, IMO, as I suggested when this was all being reworked. Permissions errors are always related to a user, but (as in this case) not necessarily to any particular page.
Just use $wgUser->getBlockedStatus(), all he wants to do is check if the user is blocked. But I would disagree with the quoted code on another level. It's a little principle I've been developing but have yet to preach to the list.
// We expect at least one permissions error, because we're trying to do an action on a specialpage.return count($this->getTitle()->getUserPermissionsErrors( 'centralauth-merge', $user ))<=1;
Write what you mean, don't take shortcuts. Treat programming like a an expressive natural language, and put the algorithm that's in your head precisely down into the code. Typing is quick, debugging is slow.
$errors = $this->getTitle()->getUserPermissionsErrors( 'centralauth-merge', $user ); foreach ( $errors as $i => $error ) { if ( $error[0] == 'ns-specialprotected' ) { unset( $errors[$i] ); } } return (bool)$errors;
If that's too long, you can always refactor.
-- Tim Starling
wikitech-l@lists.wikimedia.org