Maniphest T19630

Article.php should check permissions before advising
Open, LowPublic
Actions

Assigned To

None

Authored By

	Jidanni
	Feb 23 2009, 5:10 PM

Description

Article.php returns noarticletext without checking
$wgNamespaceProtection.

This causes the user to see:
"There is currently no text in this page, you can search for this page
title in other pages _or edit this page_."

However, when he clicks that very "edit this page". He is told:
You do not have permission to edit this page, for the following reason:
You do not have permission to edit pages in the ... namespace.

"Bait and switch."

To reproduce, set e.g., $wgNamespaceProtection[NS_...]='*';
and visit some nonexistent page in that namespace.

Version: 1.16.x
Severity: normal

Details

Reference: bz17630

Related Objects

Mentioned In: T218257: Article creation suggestion on search should check for permissions

Event Timeline

• bzimport raised the priority of this task from to Low.Nov 21 2014, 10:36 PM

• bzimport added a project: MediaWiki-Page-protection.

• bzimport set Reference to bz17630.

• bzimport added a subscriber: Unknown Object (MLST).

Jidanni created this task.Feb 23 2009, 5:10 PM

More info:

In LocalSettings.php, do
foreach(array('createaccount','edit','createpage','createtalk')as $i){$wgGroupPermissions['*'][$i]=false;};

Now browse title=User_talk:NoPageHereYet&action=edit . You will encounter this message:

'nocreatetext' => '{{SITENAME}} has restricted the ability to create new
pages. You can go back and edit an existing page, or
[[Special:UserLogin|log in or create an account]].',

However such blanket statements need to check first if the user can
indeed edit an existing page, or create an account.

Now browse just title=User_talk:NoPageHereYet . You will get

'noarticletext' => 'There is currently no text in this page. You can
[[Special:Search/{{PAGENAME}}|search for this page title]] in other
pages, <span class="plainlinks"> [{{fullurl:Special:Log|page={{urlencode:{{FULLPAGENAME}}}}}}
search the related logs], or [{{fullurl:{{FULLPAGENAME}}|action=edit}}
edit this page]</span>.',

Here again, they might not have permission to "edit this page", so there
ought to be a check before saying so.

Bug 11177 has been marked as a duplicate of this bug. ***

I have a doubt if the page isn't created can't only the permissions be set on create?
If possible kindly provide a link of this kind of page.

I'm sorry I can't help on this any more. I am now busy doing other things.

ziedas wrote:

I think it is no longer an issue.
I put $wgGroupPermissions['*']['edit'] = false;

and it says

WIKI NAME has restricted the ability to create new pages. You can go back and edit an existing page, or log in or create an account.
screenshot attached

ziedas wrote:

showing login required page

Attached:

edit_not_existing.png (429×995 px, 101 KB)

Well then I guess it must be fixed now.

Change 105158 had a related patch set uploaded by Cargan:
bug 17630 fix; added aditional check if anonymous user can create/edit none existing page, if not display permission error

https://gerrit.wikimedia.org/r/105158

ziedas wrote:

I added a patch. Screenshot provided.

ziedas wrote:

clear message of permission error

Attached: