Edits that change contentmodel cannot be reverted
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	valhallasw
	Nov 16 2014, 3:36 PM

Description

And possibly edits should not be allowed for non-sysops in general.

Example:
https://test.wikipedia.org/w/index.php?title=User:Valhallasw/test&oldid=218737

changed the contentmodel to json, then it was reverted in
https://test.wikipedia.org/w/index.php?title=User:Valhallasw/test&oldid=218738

note that the content model was /not/ reverted. This has security implications, as this can cause hard-to-revert vandalism.

In addition, everything throws exceptions when content models change. e.g.
https://www.mediawiki.org/w/index.php?title=User:Legoktm/test&action=edit&oldid=1236737

https://www.mediawiki.org/w/index.php?title=User:Legoktm/test&action=edit&undoafter=1236737&undo=1257300

Version: unspecified
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=71163
https://bugzilla.wikimedia.org/show_bug.cgi?id=70901

Details

Reference: bz73490

Related Objects
Search...

Status	Assigned	Task
Declined	Vogone	T202597 'editcontentmodel' missing in metawiki's MassMessage sender group
Open	None	T92795 Users without 'editcontentmodel' user right cannot create MassMessage delivery lists
Open	None	T85847 Grant editcontentmodel right to all logged in users
Resolved	Legoktm	T75490 Edits that change contentmodel cannot be reverted

Event Timeline

• bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:47 AM

• bzimport added a project: Security-Core.

• bzimport set Reference to bz73490.

• bzimport changed Security from none to Software security bug.

Restricted Application changed the visibility from "Public (No Login Required)" to "acl*security (Project)". · View Herald TranscriptNov 22 2014, 3:47 AM

Restricted Application changed the edit policy from "All Users" to "acl*security (Project)". · View Herald Transcript

valhallasw created this task.Nov 16 2014, 3:36 PM

(In reply to Merlijn van Deen from comment #0)

And possibly edits should not be allowed for non-sysops in general.

Example:
https://test.wikipedia.org/w/index.php?title=User:Valhallasw/
test&oldid=218737

changed the contentmodel to json, then it was reverted in
https://test.wikipedia.org/w/index.php?title=User:Valhallasw/
test&oldid=218738

note that the content model was /not/ reverted. This has security
implications, as this can cause hard-to-revert vandalism.

I think just limiting content model changing is possibly enough. The question is whether this is a problem for users enabling things like Flow themselves...

In addition, everything throws exceptions when content models change. e.g.
https://www.mediawiki.org/w/index.php?title=User:Legoktm/
test&action=edit&oldid=1236737

https://www.mediawiki.org/w/index.php?title=User:Legoktm/
test&action=edit&undoafter=1236737&undo=1257300

https://bugzilla.wikimedia.org/show_bug.cgi?id=71163

• csteipp added a project: acl*security.Nov 24 2014, 9:27 PM

Restricted Application changed the visibility from "acl*security (Project)" to "Custom Policy". · View Herald TranscriptNov 24 2014, 9:27 PM

Restricted Application changed the edit policy from "acl*security (Project)" to "Custom Policy". · View Herald Transcript

• csteipp changed the visibility from "Custom Policy" to "Custom Policy".Dec 1 2014, 11:35 PM

• csteipp changed the edit policy from "Custom Policy" to "Custom Policy".

• csteipp changed Security from Software security bug to None.

• csteipp added a subscriber: • Mattflaschen-WMF.

• csteipp changed the visibility from "Custom Policy" to "Custom Policy".Dec 10 2014, 7:30 PM

• csteipp added subscribers: EBernhardson, • Spage.

• Spage mentioned this in T85874: [3] O5. managing Flow boards outside $wgFlowOccupyPages (spike).Jan 5 2015, 10:31 PM