Thanks, this is exactly the kind of feedback I need. Getting someone
who is more experienced than I am to actually look at the code is a
big help.
On May 16, 2008, at 4:48 AM, DanTMan wrote:
On second look it appears the extension is not
suitable yet.
The extension does not handle user rights permissions correctly.
For 1.12> it won't work correctly because it does not handle
$wgAddGroups, $wgRemoveGroups, $wgGroupsAddToSelf, and
$wgGroupsRemoveFromSelf.
I could use some help on these; we're not running 1.12 in production
yet (we're slow), and I just did the recoding of this version in a
development copy of 1.12. So I'm not familiar with these. Is there a
link or something in the distribution I should read?
And for 1.11 it is a security issue, because for $wgAddGroups and
$wgRemoveGroups to work a user needs the userrights permission. On
1.11
this will allow them to change restricted rights, however on 1.11 if
your extension is enabled it will allow users with limited
permission to
change rights, to use that form to alter rights freely.
It also looks like a security hazard in general. Rights are not being
checked in the correct places, namely the permissions saving. And it
is
relying on the checkboxes not showing up as the security feature.
In other words, it's got a permissions injection vector. And in simple
terms... I could probably right now go to any site running the
extension, do a little bit of HTML editing on the rights forms, and
edit
any permission I want on your site without needing the rights at all.
And yes, that does go as far as removing the rights for all your
users,
promoting myself to bot/sysop/bureaucrat and putting a flat ban on
every
user. You know, the kind of damage that'll take raw database editing
to fix.
Eek! This sounds like the highest priority to fix.
And there's some hardcoding of group names, and it's likely that
checkboxes are not going to be rendered correctly when anything other
than the default groups are used.
The handling of time also appears to be done in a way which is not
cross-database compatible, and there is raw use of DISTINCT which I
believe we have as a select option.
I was looking for that and obviously failed to find how to do that.
Is there anything you want to fix, or to any external parties want
me to
commit so they can fix up the extension?
I can take a crack at fixing some of this, but it sounds like I need
some help with best practices.
Jim
ps: in_array('userrights',$wgUser->getRights()); would best be written
as $wgUser->isAllowed('userrights');
That should be an easy one.
~Daniel Friesen(Dantman) of:
-The Gaiapedia (
http://gaia.wikia.com)
-Wikia ACG on
Wikia.com (
http://wikia.com/wiki/Wikia_ACG)
-and
Wiki-Tools.com (
http://wiki-tools.com)
DanTMan wrote:
Remind me to commit that a bit later.
Or maybe I'll try and remember.
~Daniel Friesen(Dantman) of:
-The Gaiapedia (
http://gaia.wikia.com)
-Wikia ACG on
Wikia.com (
http://wikia.com/wiki/Wikia_ACG)
-and
Wiki-Tools.com (
http://wiki-tools.com)
Jim Hu wrote:
This is to announce a new release of
UserRightsList.
http://www.mediawiki.org/wiki/Extension:UserRightsList
This extension provides an alternative to the standard User rights
management special page.
• Bureaucrats can view users as a list instead of searching for a
specific user name
• Users with account creation privileges can view limited rights for
other users they created, if user creation logging is enabled
• The user list can be filtered by group membership, username
(with %
wildcards), and/or date ranges for user_registration (by month).
This version mainly converts the database interaction to use $dbr-
select instead of $dbr->query, so I hope it
will solve various
database problems that have been reported. I also added MIT
license
info (so DanTMan can add this to svn) and a Russian translation
submitted at
Mediawiki.org.
I've tested it on 1.12.0. Hope it's useful to others.
=====================================
Jim Hu
Associate Professor
Dept. of Biochemistry and Biophysics
2128 TAMU
Texas A&M Univ.
College Station, TX 77843-2128
979-862-4054
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
=====================================
Jim Hu
Associate Professor
Dept. of Biochemistry and Biophysics
2128 TAMU
Texas A&M Univ.
College Station, TX 77843-2128
979-862-4054