Last modified: 2013-10-23 18:17:33 UTC
I noticed this bug when playing around with some of the settings on my work's internal wiki. It's a little complicated to reproduce, but in a nutshell, if a user is granted the 'protect' right, they can place pages under protection up to and including the highest level they are able to themselves edit (or move or whatever). This implies, and the documentation appears to state, that they cannot *remove* any existing protection higher than what they are able to place: "If you set a level higher than sysops, that is, protection from sysop editing, sysops cannot give a page that level of protection nor remove it, even with the 'protect' permission." - http://www.mediawiki.org/wiki/Manual:$wgRestrictionLevels Unfortunately, this is almost precisely what happened on my wiki. To duplicate: 1. In LocalSettings.php, add the following lines. These should replace the default protection levels with one called "level1" and another "level2". It also creates a new user group called "level1editor" that is allowed to edit "level1" protected pages and place protection on pages up to "level1": $wgRestrictionLevels = array('', 'level1', 'level2'); $wgGroupPermissions['level1editor']['level1'] = true; $wgGroupPermissions['level1editor']['protect'] = true; $wgGroupPermissions['sysop']['level1'] = true; $wgGroupPermissions['sysop']['level2'] = true; 2. Log into a bureaucrat account. Give yourself +sysop and +level1editor. 3. Go to a random page and ensure you can issue all levels of protection. Give the page "level2" protection. 4. Go back to Special:Userrights and remove your sysop flag. 5. Go back to the "level2" protected page; confirm you cannot edit it. 6. Open its protection settings. You should only see "Allow all users" and "Require "level1" permission" listed as options. 7. Pick one and save the settings. --> ERROR: You've just removed protection that you are not able to edit through.
Chris, can you attempt to repro with either master or 1.20wmf2?
I am unable to reproduce this in a local MediaWiki install checked out from master. In particular, upon removing the sysop flag and navigating to the protected page, only "Watch" is available to choose. "Change protection" is not available, nor "Move" or "Delete". This issue might be in 1.18 but does not seem to be valid for the latest version of MediaWiki
Guessing you did, but are you sure that you set the "protect" permission for the second user group (I provided detailed replication instructions above)? If so, then there's still a bug, albeit not the one I originally reported, as someone with the "protect" permission ought to be able to get to the protection management screen to set what levels they do have access to.
Hersfold, yes, I followed your instructions exactly. I think you might be right about the second issue though, seems like a "level1editor" should be able to set protection for "Require level1 permission", assuming that LocalSettings.php is correct.
I figured you had, just wanted to double check. :-) That is how I understood the documentation on Mediawikiwiki. Given that the originally reported issue seems to have been resolved, should I file a separate bug for the issue you discovered?
(In reply to comment #5) > Given that the > originally reported issue seems to have been resolved, should I file a separate > bug for the issue you discovered? Please do and close this one.