Last modified: 2014-05-10 16:01:24 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T63087, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 61087 - Special:ImportTranslations allows to edit protected pages
Special:ImportTranslations allows to edit protected pages
Status: REOPENED
Product: MediaWiki extensions
Classification: Unclassified
Translate (Other open bugs)
master
All All
: Low minor (vote)
: ---
Assigned To: Nobody - You can work on this!
https://meta.wikimedia.org/w/index.ph...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-08 10:29 UTC by Nemo
Modified: 2014-05-10 16:01 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nemo 2014-02-08 10:29:06 UTC 
On a wiki where you can export/import:
1) find on Special:ProtectedPages a message you can't edit, or ask someone to make one;
2) identify the group it belongs to and do a Special:Translate export in po format;
3) change something in the po file for that message;
4) upload the po translations in Special:ImportTranslations and confirm.

I. Expected: the change is discarded.
II. Observed: the edit goes through.
III. Note: both TUX and the old translation editor (e.g. <https://meta.wikimedia.org/w/index.php?title=Special%3ATranslate&taction=proofread&group=Centralnotice-tgroup-B13_0701_txtpm_CntrlEnt_dr_enSG&language=qqq&limit=100&task=reviewall>) let me open the message for translation but then correctly fail with «Errore durante il salvataggio della traduzione: The "editprotected" right is required to edit this page».
Comment 1 Siebrand Mazeland 2014-02-08 11:05:32 UTC 
Protected pages and translatable pages are fundamentally incompatible. Unmark a page for translation if you want to be able to protect it. This feature request will not be honored.
Comment 2 Nemo 2014-02-08 11:26:17 UTC 
Siebrand, you may need to read more carefully: not the page, but a message is protected. I was told to file this bug by Niklas.
Comment 3 Siebrand Mazeland 2014-02-08 11:34:48 UTC 
(In reply to comment #2)
> a message is protected.

Thank you for making the effort to file a bug, Federico.

I think this makes it even more clear page protection and translatable pages are incompatible. Niklas telling you to file a bug is not relevant for the bug state.
Comment 4 Niklas Laxström 2014-02-08 13:05:19 UTC 
The example page is from central notice translations, not translatable page.
Comment 5 Kunal Mehta (Legoktm) 2014-02-09 09:15:51 UTC 
(In reply to comment #1)
> Protected pages and translatable pages are fundamentally incompatible.

Shouldn't $title->userCan('edit') work on any type of page? This seems like a pretty large bug. 

Can you "import" a translation to overwrite a page in the MediaWiki namespace?
Comment 6 Nemo 2014-02-09 09:32:56 UTC 
(In reply to comment #5)
> Can you "import" a translation to overwrite a page in the MediaWiki
> namespace?

Needs testing on an appropriately configured wiki. On Meta (and most wikis) you can't make a MediaWiki page directly translatable and when a page doesn't belong to a message group any handcrafted po import will probably fail in way earlier stages.
Comment 7 Niklas Laxström 2014-02-11 10:38:47 UTC 
Reopening. While I don't generally care about supporting protected pages with translation, it is not good to be able to bypass restrictions. There is is chance that in due time someone will use this together with some other vulnerability to do a nasty exploit.
Comment 8 Nemo 2014-05-10 16:01:24 UTC 
Can/must be addressed by being stricter in or around allowProcess() in MessageWebImporter?
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links