Page MenuHomePhabricator

Special:UserRights not allowing Flood flag if user in not capitalised
Closed, ResolvedPublic

Description

Author: tholly.wikimedia

Description:
I'm an admin on simplewiki and I can only give myself the floog flag at http://simple.wikipedia.org/w/index.php?title=Special:UserRights&user=Tholly, not at http://simple.wikipedia.org/w/index.php?title=Special:UserRights&user=tholly.

Other flags work without the capitals.

I don't know whether this is a problem with other projects.


Version: unspecified
Severity: trivial
URL: http://simple.wikipedia.org/wiki/Special:UserRights

Details

Reference
bz19519

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:43 PM
bzimport set Reference to bz19519.
bzimport added a subscriber: Unknown Object (MLST).

core wrote:

I can reproduce... I can only give myself the flag, no one else.

djsasso wrote:

(In reply to comment #1)

I can reproduce... I can only give myself the flag, no one else.

That is actually on purpose, admins are only allowed to give themselves the flag for security reasons.

core wrote:

I think that may be a regression however... since by virtue of administrators... they are trusted and technically permitted to override security features of the software.

tholly.wikimedia wrote:

The problem is not that I can not give that flag to other people - admins do not have permission to do that.

The problem is that I can only give the flag to myself if I type my username with a capital "T". I can give myself rollback or IP block exemption with "tholly", but flood flag only with "Tholly".

Looks like there's a check for self-ness that's done before validation of the input name, so you get a false negative on non-exact matches that normalize to the right name later. In this case it's relatively harmless as you just can't do everything you thought you could, rather than granting any extra abilities.

mike.lifeguard+bugs wrote:

Why would it affect one user group but not another?

mike.lifeguard+bugs wrote:

Also note bug 17864, which is another issue with Special:Userrights input validation.

Regressions with remote users fixed in r57064