| • bzimport | |
| Apr 10 2005, 6:09 AM |
| F1951: Title.php.patch | |
| Nov 21 2014, 8:19 PM |
| F1950: 1.patch | |
| Nov 21 2014, 8:19 PM |
Author: brian
Description:
Wikis where the entire wiki is protected, such as
wikimediafoundation.org, should treat every page like a
protected page, to simplify the code and prevent problems
like a lack of a "view source" feature.
Version: unspecified
Severity: enhancement
robchur wrote:
Well, the entire wiki isn't protected in that case; but it's locked to anonymous
editors. Edit tabs already include a "(requires login)" 'disclaimer' which
indicates that the wiki is a little different from normal.
brian wrote:
It's not protected in the sense that only one class of user can edit, but there
are restrictions on editing that are not specific to particular users.
I was not logged in when I noticed these:
Caption: "Edit (requires login)"
Tooltip: "You can edit this page. Please use the preview button before saving."
They don't seem relevant somehow. We should just see a "view source" link, which
points to a page with an explanation of why we can't edit.
rotemliss wrote:
Patch
This patch does many things. Generally (in the user interface), it does the
following things:
view the source" etc.) if the page exists (or if it is a MediaWiki system
message which was not created yet, but exists), and hides the text area and the
comment if the page does not exist.
(Nowadays, for example, if we set:
$wgGroupPermissions["*"]["edit"] = false;
$wgGroupPermissions["user"]["edit"] = false;
in LocalSettings.php and a registered user tries to edit a page, he gets the
non-exact, non-specific and non-unfiorm message about "protected page". But
nobody has protected it ever. Now he gets the message "you are not allowed to
edit pages in this site", because there is nothing you can do about that (well,
he can e-mail the bureaucrat and ask a sysop authority…). However, an
anonymous user will get the message "you have to log in to edit pages", like
today.
new messages in the other languages will appear in English, unless they update
their language file.
The technical subjects will appear in the next comment, because I'm not sure if
there is a length restriction for these comments.
Attached:
rotemliss wrote:
I forgot to mention that the patch is for the trunk, of course. I won't try to
create one for the branch. However, of course, Wikimedia sites will be updated,
because they use the trunk.
First, I want to define for this comment "read-only page" as "a page you cannot
edit him but not because the database is locked". In the messages, read-only
page is the second one (a page you cannot edit because the database is locked),
but I don't refer it here, so treat it as what I've said.
Technically, the patch does the following things (read while reading the patch
and the files I specify):
(includes/OutputPage.php). If the page is read-only, this parameter gets the
specified message name, instead of "protectedtext" (which is also shown if needed).
("you can view the source" etc.). This message becomes general (for all the
read-only pages), but it is shown only if we need it (i.e., if the source code
is shown, see the next item).
includes/OutputPage.php) only if the page is exist (or it is a MediaWiki message
which is exist): if the page is not exist, there is no need to show the message
"noarticletext" in the text area.
all the messages which are related to this kind of page. ("viewsource",
"viewsourcefor" and "protectedtext" were in "general errors", among errors in
the database! And other messages were in the reasonable place of "editing
page".) Most messages appear in pairs – one message for registered users (with
no suffix), one for anonymous users (with the suffix "anon"). The messages for
the anonymous suggest they will log in (except "protectedtextanon", which just
copies "protectedtext").
CANNOT edit by his permissions, not only by "protected page" or "protected
MediaWiki pages", etc.
edit, and the user doesn't have one.
match userCanEdit and Title:userCanMove. (Title::userCan is private, after all).
OutputPage::readOnlyPage function with the proper $message parameter, instead of
its private function (which doesn't show the source code, and "view source"
isn't shown), or even worse – OutputPage::readOnlyPage without the $message
parameter, says the page is protected.
permission, and does he have a confirmed e-mail address if there is a need) were
moved into the "if" check of the return value of EditPage::userCanEdit().
using the new EditPage::userCanCreate() for checking, and the improved
OutputPage::readOnlyPage with the proper message.
To be continued…
rotemliss wrote:
Some more things the patch does:
page – just above the check if that is the problem.
(includes/EditPage.php) – permissions, read-only pages because the database is
read only, etc. – because they were already done.
which were replaced by OutputPage::readOnlyPage.
isn't exist) in SkinTemplate::buildContentActionUrls
(includes/SkinTemplate.php), to decide whether to show "edit" or "view source".
Now it shows "view source" if the user tries to create a page he has no
permission to create. Also, it shows the "view source" if the user doesn't have
the permission "edit" or didn't confirm his e-mail while it is mandatory,
because of the improvements in EditPage::userCan. (And by the way, thanks to the
reporter of Bug 5391, who suggested some of the improvements there.)
By the way, please note the title of the pages which tell us that we don't have
the permissions, or we have to confirm our e-mail address, was "login required
to edit" or something like that. However, nowadays it is "view source"
everywhere, because it DOES view the source, and only tells us briefly why we
cannot edit the page.
Finished the documentation! Please review and check in, thanks.
gangleri wrote:
*note*
If you go to
http://meta.wikimedia.org/wiki/Special:SiteMatrix#zu
and change in the url's 'wikipedia' by 'wikimedia'
you can find various "restricted" Wikimedia Foundation wikies as.
There you can "build" url's with known parameters (some people call this hacking):
http://wikimania2005.wikimedia.org/w/index.php?title=Special:Userlogin&type=signup&returnto=Main_Page
http://wikimaniateam.wikimedia.org/w/index.php?title=Special:Userlogin&type=signup&returnto=Main_Page
I do not know if this is an *nonissue* or not. Have no clue what to show on an
arbirary hacked url.
best regards reinhardt [[user:gangleri]]
robchur wrote:
(In reply to comment #11)
*note*
If you go to
http://meta.wikimedia.org/wiki/Special:SiteMatrix#zu
and change in the url's 'wikipedia' by 'wikimedia'
you can find various "restricted" Wikimedia Foundation wikies as.There you can "build" url's with known parameters (some people call this hacking):
I wouldn't consider it as critical, because that method still doesn't permit
creation of a user account. The interface could be tidied up a little and bounce
the user back to a page explaining that they can't create an account, but it's
not a serious security issue.
gunter.schmidt wrote:
fix not displaying "view source" if page is protected
I think the user:isAllowed should be checked here, I provided a patch.
Gunter
Attached: