Last modified: 2012-04-12 13:54:42 UTC
Consider this setup: $wgAddGroups['sysop'] = array('sysop'); $wgRemoveGroups['sysop'] = array('sysop'); There is no way to revoke this in another group. $wgRevokePermissions['othergroup']['userrights'] = true; doesn't work, since userrights is not needed for access to Special:UserRights.
What are you trying to accomplish by trying to remove access to Special:Userrights to someone who specifically has the right to add/remove other users from the sysop group? Perhaps there is another way to accomplish this that works more naturally with the permissions system.
Since sysops can make sysops, we want to have a way for bureaucrats to enforce a desysopping so a random sysop can't come and undo it. The idea was to use wgRevokePermissions to create a revoke group, so a bureaucrat could add someone to that group and then it wouldn't matter if the user was a sysop or not, they still wouldn't have the actual rights. Thanks to wgRevokePermissions this works for everything but access to Special:Userrights. The UserrightsChangeableGroups hook would be an alternative solution, but it was removed in 1.16 because it was unused.
Why not just don't give the sysop group rights to remove it, and give that right to the other group?
That's not the problem. The problem is the sysop group having the right to add it. If someone misbehaves they lose their sysopship, but then any sysop can reinstate it, causing a wheel war.