Page MenuHomePhabricator
Create Task
Maniphest T39989

permissions must be checked on item creation
Closed, ResolvedPublic
Actions

Description

Currently, permissions are only checked correctly when modifying existing items, not when creating items. The reason is that permission checks are title based, but we can only have a title after the item has been recorded in the database. Which we don't want to do if the user shouldn't be allow to create the item.

So... make a dummy title? or just check user rights, and not title based permissions?

Note: the ultimate permission check should be implemented in Item::save().

Version: master
Severity: critical
Whiteboard: storypoints: 5

Details

Reference
bz37989

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 22 2014, 12:30 AM
bzimport added projects: MediaWiki-extensions-WikibaseRepository, TestMe.
bzimport set Reference to bz37989.
bzimport added a subscriber: Unknown Object (MLST).
daniel created this task.Jun 27 2012, 4:36 PM
daniel added a comment.Jun 27 2012, 8:36 PM

The simplest (and probably most robust solution) may be to construct a dummy Title for a page in the data namespace, e.g. Data:Q0, and call userCan() on that.

This would bypass page protection against creation as well as the title backlist and similar things, but these do not apply to the ID-based titles used by wikidata anyway.

(side note... should the title blacklist apply to item labels and aliases?)

Denny added a comment.Jul 5 2012, 1:55 PM

Picked for sprint 9.

Denny added a comment.Aug 9 2012, 12:25 PM

See ItemContent::UserCanEdit

Denny added a comment.Aug 9 2012, 12:27 PM

Consider API wbsetitem({}) and the Special:CreateItem page.

AnjaJentzsch added a comment.Nov 29 2012, 12:38 PM

Verified in Wikidata demo time for sprint 15

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL