Last modified: 2012-08-24 09:32:18 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T36303, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 34303 - Comments: Server must reject comments if they come from users without "comment" right.


Summary:	Comments: Server must reject comments if they come from users without "commen...

Status:	RESOLVED FIXED

Product:	MediaWiki extensions
Classification:	Unclassified
Component:	Comments (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Normal normal (vote)
Target Milestone:	---
Assigned To:	Jack Phoenix

URL:
Whiteboard:
Keywords:	patch, patch-reviewed

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2012-02-09 19:08 UTC by Van de Bugger
Modified:	2012-08-24 09:32 UTC (History)
CC List:	3 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Trivial patch. (5.98 KB, patch) 2012-02-09 19:08 UTC, Van de Bugger	Details
Add an attachment (proposed patch, testcase, etc.)

Description Van de Bugger 2012-02-09 19:08:46 UTC

Created attachment 9975 [details]
Trivial patch.

Hi,

If user does not have "comment" right, hiding edit field is not enough. Sever must also validate user rights and reject comments coming from user with no "comment" right, otherwise smart guys can post comment.

Comment 1 Van de Bugger 2012-02-09 19:15:37 UTC

The same issue for voting. See the next function, wfCommentVote:

> // Blocked users cannot vote, obviously
> if( $wgUser->isBlocked() ) {
>     return '';
> }

Must be 

> // Blocked users cannot vote, obviously
> if( ! $wgUser->isAllowed( 'comment' ) || $wgUser->isBlocked() ) {
>     return '';
> }

Comment 2 Van de Bugger 2012-02-09 19:31:47 UTC

Hmm... Similar issue for other conditions: checking conditions on UI side is not enough. For example, hiding vote buttons at user's own messages is not enough, server side should recheck all the conditions and reject invalid operations.

I was able to add a vote to y own messages...

Comment 3 Sumana Harihareswara 2012-02-10 20:44:54 UTC

Hey, Van, I'm adding the "patch" and "need-review" keywords here to indicate that the patch awaits review.

There's been a bit of a delay in the review of patches here -- as we prepare to get a new version out, we're in a "code slush" during which we concentrate on reviewing code that has already been committed to our source code repository (see http://thread.gmane.org/gmane.science.linguistics.wikipedia.technical/57950 for more details).  But we'll try to respond to your contribution soon.  Thanks for the patch!

Comment 4 Mark A. Hershberger 2012-02-11 19:30:48 UTC

If you provide a fuller patch covering all the conditions you think should be covered, then I can apply it.  Please see https://www.mediawiki.org/wiki/How_to_become_a_MediaWiki_hacker#Submit_your_changes for more info on how to do this, if needed.

Comment 5 Jack Phoenix 2012-07-15 16:20:17 UTC

Thanks for the patch Van, I've committed a patch based on yours to SVN in r115613, which adds user rights checking to two AJAX functions, wfCommentSubmit and wfCommentVote. Now the AJAX interface correctly enforeces user rights and users who do not have the 'comment' user right can no longer submit new comments or vote on existing comments.

I believe that this should be about it and I'm suggesting closing this as RESOLVED FIXED, unless new issues pop up.

Comment 6 Van de Bugger 2012-07-16 17:28:27 UTC

Hi,

I thought process is: If you committed the fix, please move it to RESOLVED state. When I check the fix I will move record to VERIFIED state. Then you can move it to CLOSED.

Comment 7 Jack Phoenix 2012-08-24 09:32:18 UTC

Closing the bug as the fix has been committed a while ago.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links