[Mediawiki-l] article::doEdit with user rights
Gunter
News2006 at freenet.de
Thu Mar 22 18:25:47 UTC 2007
Rob Church schrieb:
> On 22/03/07, Gunter <News2006 at freenet.de> wrote:
>
>> Surprisingly, the funciton article::doEdit does not check user rights.
>> Any hints, or is it a bug?
>>
>
> No, it's not a bug; Article::doEdit() is a function which operates at
> a level below the editor - it's not intended to check user
> permissions, or block status, etc. This is left to the caller, e.g.
> EditPage.php (or maintenance scripts, which don't need to check these
> items).
>
>
My question was misleading, I found
$allowed = $x_title->userCan('edit');
returning true could be considered a bug, if $wgUser->isAllowed('edit') returns false.
function userCan could be expanded by something like this
// will also fix bug 5391, so user which can not edit will be presented with a "view sourcecode" message. Especially helpful on wikis where a user can not be acquired.
if( $action == 'edit' &&
!( $wgUser->isAllowed( 'edit' ) ) ) {
wfProfileOut( $fname );
return false;
}
if( $action == 'create' &&
!( $wgUser->isAllowed( 'create' ) ) ) {
wfProfileOut( $fname );
return false;
}
// global database lock
if( $wgReadOnly ) {
wfProfileOut( $fname );
return false;
}
This would make it easier for developers, because checking userCan will be used for namespace protection also, so checking User::isAllowed does not seem to be suffiant anymore.
GunterS
More information about the MediaWiki-l
mailing list