Page MenuHomePhabricator
Create Task
Maniphest T27976

Lockdown extension overrides wgGroupPermissions
Open, MediumPublic
Actions

Description

Author: prollius

Description:
Although the header of Lockdown.php says "NOTE: you cannot GRANT access to things forbidden by $wgGroupPermissions. You can only DENY access granted there." the mere inclusion of Lockdown.php leads to this configuration being ignored:

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['edit'] = true;

Any user has edit privileges when Lockdown is active.

This is discussed here: http://www.mediawiki.org/wiki/Extension_talk:Lockdown#Seconded_-_Overriding_.24wgGroupPermissions.3F

Version: unspecified
Severity: critical

Details

Reference
bz25976

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:24 PM
bzimport added a project: MediaWiki-extensions-Lockdown.
bzimport set Reference to bz25976.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Nov 17 2010, 4:48 PM
bzimport added a comment.Nov 17 2010, 6:05 PM

prollius wrote:

While digging deeper I think I found a hint on where the problem lies: the behaviour described above (Lockdown overriding <code>$wgGroupPermissions['*']['edit'] = false;</code>, thus anonymous users are able to edit) arises when a user was logged in before, but is not logged in anymore. May this be a session/cookie related problem?

When requesting the same page at the same time from the same machine but in another browser (which hasn't been used for logging into the wiki), then the any-user cannot edit the page.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL