Restrictions extension - Seizam/seizamcore GitHub Wiki
Developed by Yannouk
- Can you access protected pages via {{:protected article}}? What if you use multiple levels (transclusions within transclusions)?
- Can you access protected pages via a transclusion to a redirection?
- Can you circumvent a transclusion protection by using the transclusion in edit preview mode?
- RESULT: OK, restricted pages do not appear when transcluded or redirected from non restricted page, even in preview
- Can you circumvent the protection using editintro= or preload= URI parameters in edit mode?
- NOTE: Should be safe with extension using the UserCan hook
- RESULT: URI parameters didn't affected MediaWiki, so NO TEST RESULT
- Is it possible to export the contents of a protected page?
- RESULT: OK, protected pages do not appear in exports
- Does the article get delivered? With diff or full content?
- There are two feeds, one in the Recent changes special pages and other on the page history. Additional feeds may be provided by extensions.
- RESULT: OK, if restricted, the feeds do not display any content
- are non-readable pages listed on the Special:Search page? Are excerpts shown? (See also bugzilla:8825)
- are non-readable pages listed on Special:Recentchanges or Special:Allpages?
- are non-readable pages listed on other special pages, such as Lonelypages, etc?
- if LuceneSearch is used, have you closed the 8123 and 8321 ports from global access?
-
RESULT: OK, non readable pages: no content search, but title search still possible
- If page content is not readable, just return the title. ( in SpecialSearch.php: if( !$t->userCanRead() ) { return "
- {$link} \n"; } )
- Can a direct link to a page diff be used to show text from a protected page? How about a diff between a revision of an unprotected and a revision of a protected page, by manipulating the revision IDs?
- RESULT: OK, history cannot bypass current restriction
- Can you use a permanent link (revision link) to an old version to read a page you shouldn't read?
- RESULT: OK, cannot bypass using revision link
- How about a link that has a revision ID belonging to a different than the title refers to, by manipulating the URL?
- RESULT: OK, cannot bypass
- Can the revids parameter for action=query be used to fetch revisions that should be hidden?
- use http://seizam.localhost/api.php?action=query&prop=revisions&rvprop=content&format=txt&revids=337
- API takes in account restriction
- use http://seizam.localhost/api.php?action=query&prop=revisions&format=txt&revids=337
- Comment visible, even if it is restricted (page creation comment contains page text)
- RESULT: PROBLEM
- use http://seizam.localhost/api.php?action=query&prop=revisions&rvprop=content&format=txt&revids=337
- Can you use action=raw or action=render options to read a page you shouldn't read?
- use http://seizam.localhost/index.php?title=Alice_restricted&action=raw
- Can you access a printable version of a page you shouldn't read?
- use http://seizam.localhost/index.php?title=Alice_restricted&printable=yes
- Can a direct link to the edit page be used to view page contents of a protected page?
- use http://seizam.localhost/index.php?title=Alice_restricted&action=edit
- RESULT: OK, no problem
- Does the extension prevent a user from creating a new page that he won't have read access to?
- This is not possible to set a read restriction for a non existent page
- Can you move or rename a page that you have read access to but not write access to?
- if don't unset($wgRestrictionTypes[array_search('move',]); in Localsettings
- if set $wgGroupPermissions['user']['move'] = true;
- set edit restriction to owner, but read to everyone
- RESULT: OK "You are not allowed to execute the action you have requested." (if edit or/and move is restricted, move not allowed)
- Can you read a discussion page of a page you don't have read access to? Can you write a discussion page of a page you don't have write access to, unless this is specifically allowed by you?
- RESULT: rights about discussion pages will be managed by WikiPlace extension (currently, everyone can create talk:toto even if tile:toto is read/edit restricted to owner
- Some extensions always allow the original author of a page to access it, ignoring later access restrictions.
- RESULT: OK, if edit restriction set to sysop, the owner can't edit or change the restrictions, if read restriction set to sysop, even the owner can't access to the page
- $wgEnableParserCache (enabled by default) caches articles between users.
- $wgEnableSidebarCache (not enabled by default) performs a similar function for the sidebar.
- If the extension could send different pages to different users, it might be incompatible with this caching.
- RESULT: PROBLEM, solution = disallow translcuding a read protected page (only allow for non read restricted target)
- Can you download a file directly regardless of read access to its associated article?
- RESULT: no, so OK
- Can you download a thumbnail of an image file directly regardless of read access to its associated article?
- RESULT: no, so OK
- Can you upload or delete an image regardless of write access to its associated article?
- RESULT: can reupload even if read restricted, but need edit and upload restriction satisfied, so it's OK
- If a user has permission to view a redirect but not the page it points to, are they still redirected?
- RESULT: no, so OK
- If a user has permission to view a page but not a redirect that points to that page, can they access the page via the redirect?
- RESULT: no, so OK
- Can a user use the 'edit section' feature for a page, even though they can't edit the full page (either through the interface or by changing the URL)?
- RESULT: no, so OK
- Can a user use the 'edit section' feature for pages they have been granted access to?
- RESULT: no, so OK
- Can a user watch a page he is not allowed to read?
- RESULT: no, so OK
- Can the user unwatch a page he is not allowed to read?
- RESULT: yes, but that's not a problem, so OK
- Does the user still get notifications even if she was locked out?
- RESULT: yes, but as discussed with Clement, it depends on what informations are in notifications, so it has to be tested on Papilusion to decide if it is a problem, so OK for now
- Can a user use other extensions to view part of a page? Think of Extension DynamicPageList or Semantic MediaWiki, which provide ways to query the database for certain pages or properties.
- Does an extension display confidential page titles, like a recently-edited page gadget?
- RESULT: not tested