Consistently check permission for entity creation
Open, HighPublic
Actions

Assigned To

None

Authored By

	daniel
	May 30 2017, 4:56 PM

Description

Permission for entity creation is currently not checked consistently. We do:

require 'property-create' for SpecialNewProperty, by specifying it as required permission in the parent constructor.
EditEntity uses EntityPermissionChecker to check the "edit" permission.
- EditEntity::addRequiredPermission() is never called
EntityContentFactory also requires 'createpage' if the Entity's ID is null (!)
Api/EditPage::getRequiredPermissions() returns 'edit'; If the entity ID is null (new entity), it also returns 'createpage' and 'property-create'

This shows that permission checks are distributed all over the code, and partially inconsistent.

Also, some API modules that allow the creation of entities may not check all necessary permission.

Necessary permissions should be determined and checked in a central place. EditEntity seems to be the right place for this, since all entity edits go through there, and it has enough information about the user.

NOTE: this does not currently pose a security risk on wikidata.org, since a) the 'edit' and 'createpage' permissions are always checked and b) only Properties require an extra permission and c) property creation is only possible via wbeditentity, which does check 'property-create'.

Patch-For-Review:

Details

Subject	Repo	Branch	Lines +/-
Use EntityPermissionChecker for checking term modify permissions on relevant Special pages	mediawiki/extensions/Wikibase	master	+66 -25
Consider create permissions when entity is created using the API action for editing entity terms	mediawiki/extensions/Wikibase	master	+376 -87
Remove user permission logic from ItemMergeInteractor	mediawiki/extensions/Wikibase	master	+28 -63
Remove user permission logic from RedirectCreationInteractor	mediawiki/extensions/Wikibase	master	+20 -62
Remove permission check logic from some Api classes	mediawiki/extensions/Wikibase	master	+7 -37
Use WikiPageEntityStorePermissionChecker as WikibaseRepo permission checker	mediawiki/extensions/Wikibase	master	+26 -229
Add WikiPageEntityStorePermissionChecker for consistent permission checks	mediawiki/extensions/Wikibase	master	+974 -9

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Open	None	T166586 Consistently check permission for entity creation
Resolved	WMDE-leszek	T170673 Make ChangeOps define required permissions
Open	None	T171484 When checking permissions in the context of applying the "clear" flag in wbeditentity, only check effective modifications.
Open	None	T171483 Check any special permissions like entity-term when applying the "clear" flag in wbebeditentity
Declined	GoranSMilovanovic	T171876 Create grafana dashboard for tracking the usage of the "clear" feature of wbeditentity
Resolved	daniel	T171609 Track usage of the "clear" feature of wbeditentity in statds
Resolved	daniel	T172100 get list of users of API module wbeditentity with clear flag

Event Timeline

daniel created this task.May 30 2017, 4:56 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 30 2017, 4:56 PM

daniel triaged this task as High priority.May 30 2017, 4:57 PM

daniel added a project: User-Daniel.

WMDE-leszek moved this task from Proposed to Backlog on the Wikidata-Former-Sprint-Board board.May 31 2017, 8:42 AM

Lydia_Pintscher moved this task from incoming to in progress on the Wikidata board.Jun 12 2017, 7:22 AM

WMDE-leszek moved this task from Backlog to Proposed on the Wikidata-Former-Sprint-Board board.Jun 13 2017, 1:40 PM

WMDE-leszek moved this task from Proposed to Backlog on the Wikidata-Former-Sprint-Board board.

WMDE-leszek claimed this task.Jun 26 2017, 3:14 PM

WMDE-leszek moved this task from Backlog to Doing on the Wikidata-Former-Sprint-Board board.

Change 361693 had a related patch set uploaded (by WMDE-leszek; owner: WMDE-leszek):
[mediawiki/extensions/Wikibase@master] [WIP] Add WikiPageEntityStorePermissionChecker for consistent permission checks

https://gerrit.wikimedia.org/r/361693

gerritbot added a project: Patch-For-Review.Jun 27 2017, 4:26 PM

Change 361889 had a related patch set uploaded (by WMDE-leszek; owner: WMDE-leszek):
[mediawiki/extensions/Wikibase@master] Use WikiPageEntityStorePermissionChecker as WikibaseRepo permission checker

https://gerrit.wikimedia.org/r/361889

Change 362239 had a related patch set uploaded (by WMDE-leszek; owner: WMDE-leszek):
[mediawiki/extensions/Wikibase@master] Remove entity creation permission logic checks from Api\EditEntity

https://gerrit.wikimedia.org/r/362239

Change 363303 had a related patch set uploaded (by WMDE-leszek; owner: WMDE-leszek):
[mediawiki/extensions/Wikibase@master] Remove user permission logic from RedirectCreationInteractor

https://gerrit.wikimedia.org/r/363303

Change 363304 had a related patch set uploaded (by WMDE-leszek; owner: WMDE-leszek):
[mediawiki/extensions/Wikibase@master] Remove user permission logic from ItemMergeInteractor

https://gerrit.wikimedia.org/r/363304

Change 363305 had a related patch set uploaded (by WMDE-leszek; owner: WMDE-leszek):
[mediawiki/extensions/Wikibase@master] Use EntityPermissionChecker for checking term modify permissions on relevant Special pages

https://gerrit.wikimedia.org/r/363305

WMDE-leszek moved this task from Doing to Review on the Wikidata-Former-Sprint-Board board.Jul 5 2017, 9:54 AM

WMDE-leszek moved this task from Review to Doing on the Wikidata-Former-Sprint-Board board.Jul 6 2017, 7:56 AM

WMDE-leszek moved this task from Doing to Review on the Wikidata-Former-Sprint-Board board.Jul 6 2017, 12:14 PM

Change 361693 merged by jenkins-bot:
[mediawiki/extensions/Wikibase@master] Add WikiPageEntityStorePermissionChecker for consistent permission checks

https://gerrit.wikimedia.org/r/361693

Change 361889 merged by jenkins-bot:
[mediawiki/extensions/Wikibase@master] Use WikiPageEntityStorePermissionChecker as WikibaseRepo permission checker

https://gerrit.wikimedia.org/r/361889

daniel added a subtask: T170673: Make ChangeOps define required permissions.Jul 14 2017, 12:22 PM

Change 362239 merged by jenkins-bot:
[mediawiki/extensions/Wikibase@master] Remove permission check logic from some Api classes

https://gerrit.wikimedia.org/r/362239

Change 365582 had a related patch set uploaded (by WMDE-leszek; owner: WMDE-leszek):
[mediawiki/extensions/Wikibase@master] Consider create permissions when entity is creating with API action for editing entity terms

https://gerrit.wikimedia.org/r/365582

Change 363303 merged by jenkins-bot:
[mediawiki/extensions/Wikibase@master] Remove user permission logic from RedirectCreationInteractor

https://gerrit.wikimedia.org/r/363303

Change 363304 merged by jenkins-bot:
[mediawiki/extensions/Wikibase@master] Remove user permission logic from ItemMergeInteractor

https://gerrit.wikimedia.org/r/363304

Lucas_Werkmeister_WMDE moved this task from Review to Doing on the Wikidata-Former-Sprint-Board board.Jul 19 2017, 10:07 AM

• Aleksey_WMDE claimed this task.Jul 19 2017, 10:32 AM

• Aleksey_WMDE added a subscriber: WMDE-leszek.

Change 365582 merged by jenkins-bot:
[mediawiki/extensions/Wikibase@master] Consider create permissions when entity is created using the API action for editing entity terms

https://gerrit.wikimedia.org/r/365582

• Aleksey_WMDE moved this task from Doing to Review on the Wikidata-Former-Sprint-Board board.Jul 19 2017, 5:19 PM

Change 363305 merged by jenkins-bot:
[mediawiki/extensions/Wikibase@master] Use EntityPermissionChecker for checking term modify permissions on relevant Special pages

https://gerrit.wikimedia.org/r/363305

thiemowmde removed a project: Patch-For-Review.Jul 21 2017, 12:28 PM

thiemowmde updated the task description. (Show Details)

Seems like all the patches are merged now

Restricted Application added a subscriber: PokestarFan. · View Herald TranscriptJul 24 2017, 2:25 PM

daniel moved this task from Review to Done on the Wikidata-Former-Sprint-Board board.Jul 24 2017, 2:25 PM

Not all patches are merged in subtask

• Aleksey_WMDE moved this task from Done to Review on the Wikidata-Former-Sprint-Board board.Jul 24 2017, 3:32 PM

• Aleksey_WMDE moved this task from Review to Doing on the Wikidata-Former-Sprint-Board board.

WMDE-leszek claimed this task.Aug 1 2017, 11:42 AM

WMDE-leszek added a subscriber: • Aleksey_WMDE.

WMDE-leszek closed subtask T170673: Make ChangeOps define required permissions as Resolved.Oct 13 2017, 8:09 AM

WMDE-leszek moved this task from Doing to Done on the Wikidata-Former-Sprint-Board board.

WMDE-leszek removed a project: Wikidata-Former-Sprint-Board.Oct 17 2017, 8:42 AM

What's still left here now? I can't find any remaining patches in the open subtasks.

This task has been assigned to the same task owner for more than two years. Resetting task assignee due to inactivity, to decrease task cookie-licking and to get a slightly more realistic overview of plans. Please feel free to assign this task to yourself again if you still realistically work or plan to work on this task - it would be welcome!

For tips how to manage individual work in Phabricator (noisy notifications, lists of task, etc.), see https://phabricator.wikimedia.org/T228575#6237124 for available options.
(For the records, two emails were sent to assignee addresses before resetting assignees. See T228575 for more info and for potential feedback. Thanks!)

Consistently check permission for entity creationOpen, HighPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

Consistently check permission for entity creation
Open, HighPublic
Actions

Related Objects
Search...