Page MenuHomePhabricator

Changing the visibility of the article feedback tool does not respect protection level
Closed, InvalidPublic

Description

Users without the sysop right can apparently change the visibility of the article feedback tool on fully-protected pages. See http://en.wikipedia.org/w/index.php?title=Special:Log&page=Wikipedia%3AFile+Upload+Wizard and discussion at http://en.wikipedia.org/wiki/Wikipedia_talk:File_Upload_Wizard#Edit_request_on_21_September_2013


Version: unspecified
Severity: normal

Details

Reference
bz54442

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 2:09 AM
bzimport set Reference to bz54442.
bzimport added a subscriber: Unknown Object (MLST).

In the protection interface, article feedback has a separate setting from editing. Prior to the update that added logging to feedback toggles, this wasn't automatically set when pages were protected, but it is now, so in essence this is already fixed.

Users without sysop rights can indeed change the visibility of AFTv5, but not via ?action=protect, and only a limited (aft-reader|aft-editor) subset of options.

They can only change visibility (enable|disable) via the links outlined in these feature requirements: http://www.mediawiki.org/wiki/Article_feedback/Version_5/Feature_Requirements#Enable_feedback_from_the_article_page

In the background, this will trigger the same change as the corresponding change via ?action=protect would (apart from not having all detailed protection options) & it will write a similar line to the log (which may be confusing, but probably less confusing than having separate mechanisms)

If a sysop changes the protection to something higher-level (like aft-administrator), normal users can not override this.