Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User with readonly permission can create ACL for page #47

Open
mgiacomoli opened this issue Mar 16, 2016 · 6 comments
Open

User with readonly permission can create ACL for page #47

mgiacomoli opened this issue Mar 16, 2016 · 6 comments

Comments

@mgiacomoli
Copy link

Hello, I found some weird behavior with ACL page creation.

Mediawiki: 1.23.13
IntraACL: 2.1.8

I created a custom Namespace (NS1) and set to it an ACL like this

{{#access: assigned to = User:Admin | actions = *}}
{{#access: assigned to = User:User1 | actions = read}}
{{#manage rights: assigned to = User:Admin}}

Now if I login as User1 I can read the page NS1:Page1 (ok, that is what I want), but I can also create an ACL for that page (clicking on the ACL button on top of the page or using the corresponding url) where I can grant all permissions to everybody!

Is this the intended behavior?

Best regards
@mgiacomoli mgiacomoli mentioned this issue Mar 16, 2016
Closed
@vitalif
Copy link
Member

vitalif commented Mar 16, 2016

Yes, it is...

@vitalif
Copy link
Member

vitalif commented Mar 16, 2016

The idea is that any user should be always able to define specific protection for any page which is not protected yet... and namespace/category "manage" rights make some users "local permission admins" i.e. allow them to edit ACLs created by other users for pages in this namespace/category...

@mgiacomoli
Copy link
Author

Thanks for your reply.

I understand your idea, and agree about it, but I think we could consider a page inside a protected namespace as protected, without the need of defining an ACL for that single page. Otherwise namespace (and maybe category too) become IMHO pretty useless, because a user with just read right for that NS can do a "privilege escalation" and obtain all the rights he wants. In order to prevent this (the only way I found) you need to define a quick ACL with useless rights, assign it to every page you create (ok, you can set a quick ACL as default) and also every page you created before, just for having the pages protected.

IMHO only users with manage right assigned for a NS (or category) should be able to create/edit ACLs for pages that belongs to it, or every user for an unprotected page (i.e. that doesn't have an ACL set at any level, page, category and ns).

Best regards

@vitalif
Copy link
Member

vitalif commented Mar 17, 2016

You can also do it by using SHRINK permission mode...

@vitalif
Copy link
Member

vitalif commented Mar 17, 2016

IMHO only users with manage right assigned for a NS (or category) should be able to create/edit ACLs for pages that belongs to it, or every user for an unprotected page (i.e. that doesn't have an ACL set at any level, page, category and ns).

I think you're right, but this requires a separate "create protection" permission, because current implementation allows to edit all page ACLs (even those created by someone else) if you have "manage" permission for its namespace.

@mgiacomoli
Copy link
Author

You can also do it by using SHRINK permission mode...

Tried setting $haclgCombineMode to HACL_COMBINE_SHRINK and ok, the user can still create the ACL but thanks to this combine mode the user still has no other permissions.

Anyway in my case I can't apply this, since I need only some users to be able to create (at least edit) ACLs for single pages inside a protected NS that add some permissions to some users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vitalif @mgiacomoli