b4ce1e3f05
Why: * On wiki farm installs, it is possible that temporary accounts are enabled on wiki but not another wiki * Special:UserRights can assign groups to users on other wikis * This currently allows temporary accounts to be assigned groups from a wiki where the feature is disabled and not known. * The Special:UserRights page should disallow this by preventing cross-wiki assignment of rights when the target username is reserved by the temporary accounts system. ** This works because the reserved pattern is accessible even when the feature is not known ** Furthermore, the reserved pattern is expected to be set for all wikis in the farm if one wiki has temporary accounts enabled, so that the temporary account cannot be created on wikis which have the feature disabled. What: * Update SpecialUserRights::saveUserGroups and ::fetchUser to reject usernames when: ** The wiki ID for the username is not local ** Temporary accounts are not enabled on the wiki ** TempUserConfig::isReservedName returns true for the username * Add a test to verify that temporary accounts cannot be given user groups by the special page. * Testing the changes made in this commit will be difficult as it requires having a second wiki set up, and this is not done in CI (which makes the test non-blocking for CI). Bug: T372046 Change-Id: I2d60c5b3322caa4629b4e73c0b0b525fd1028946 |
||
|---|---|---|
| .. | ||
| data | ||
| i18n | ||
| messages | ||
| .htaccess | ||