Page MenuHomePhabricator
Create Task
Maniphest T143790

$wgBlockDisablesLogin = true; + $wgEmailConfirmToEdit = true; causes the wiki to be inaccessible for anonymous users
Closed, ResolvedPublic
Actions

Description

Setup

  • MediaWiki 1.27.1 (a52d35d)06:46, 23 August 2016
  • PHP 5.6.24-0+deb8u1 (apache2handler)
  • MariaDB 10.0.26-MariaDB-1~jessie

Issue
After updating a wiki form MW 1.27.0 to MW 1.27.1 it becomes inaccessible for anonymous users, i.e. they cannot read a page nor log in. I believe this may very well be caused by the fix for T129738.

Error message

Permission error

You do not have permission to read this page, for the following reason:

You must confirm your email address before editing pages. Please set and validate your email address through your user preferences.

LocalSettings.php

$wgEmailConfirmToEdit = true;
$wgBlockDisablesLogin = true;
$wgGroupPermissions['*']['edit'] = false;

After setting $wgEmailConfirmToEdit to "false" the wiki is back in business again. Since I do not want to loose this setting ... As a matter of fact all "my" wikis which require e-mail confirmation for editing also use the newly "fixed" configuration setting.

Details

SubjectRepoBranchLines +/-
Make $wgEmailConfirmToEdit only affect edit actions.mediawiki/coreREL1_29+16 -8
Make $wgEmailConfirmToEdit only affect edit actions.mediawiki/coreREL1_30+16 -8
Make $wgEmailConfirmToEdit only affect edit actions.mediawiki/coreREL1_27+16 -8
Make $wgEmailConfirmToEdit only affect edit actions.mediawiki/coremaster+16 -8
Make $wgEmailConfirmToEdit only affect edit actions.mediawiki/coreREL1_31+16 -8
Customize query in gerrit

Related Objects

Event Timeline

Kghbln created this task.Aug 24 2016, 2:18 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 24 2016, 2:18 PM
Kghbln updated the task description. (Show Details)Aug 24 2016, 2:19 PM

@Bawolff I subscribed you since you were the author of the patch set which I think is the most likely the cause of the issue.

Kghbln updated the task description. (Show Details)Aug 24 2016, 2:24 PM
Kghbln renamed this task from $wgBlockDisablesLogin = true; causes the wiki to be inaccessible to $wgBlockDisablesLogin = true; causes the wiki to be inaccessible for anonymous users.Aug 24 2016, 2:30 PM
Kghbln updated the task description. (Show Details)
gerritbot subscribed.Aug 26 2016, 1:39 AM

Change 306863 had a related patch set uploaded (by Brian Wolff):
Make $wgEmailConfirmToEdit only affect edit actions.

https://gerrit.wikimedia.org/r/306863

gerritbot added a project: Patch-For-Review.Aug 26 2016, 1:39 AM
Bawolff added a project: Security-Team.Aug 26 2016, 1:41 AM

Note that the $wgGroupPermissions['*']['edit'] = false; is unnecessary to reproduce the issue. You are correct that the fix for T129738 caused this issue.

Basically, $wgConfirmEmailToEdit was blocking all rights that use $title->userCan() instead of just edit. Previously read rights had special handling and wasn't caught up in that.

Bawolff renamed this task from $wgBlockDisablesLogin = true; causes the wiki to be inaccessible for anonymous users to $wgBlockDisablesLogin = true; + $wgEmailConfirmToEdit causes the wiki to be inaccessible for anonymous users.Aug 26 2016, 1:42 AM
Bawolff added a parent task: T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.

Out of curiosity, what's the point of enabling $wgBlockDisablesLogin and having your wiki be publically readable?

Kghbln added a comment.Aug 26 2016, 4:03 PM

@Bawolff Thank you for your notes and tackling this issue! I very much appreciate this!

In T143790#2584848, @Bawolff wrote:

Out of curiosity, what's the point of enabling $wgBlockDisablesLogin and having your wiki be publically readable?

There is actually no big point for having this on a publicly readable wiki. That's why I removed the setting instead of rolling back to MW 1.27.0 on that particular instance.

Since this issue however prevents anons from logging into a private wiki the fix is still very important. So backports to REL1_23 and REL1_26 are needed too.

Kghbln renamed this task from $wgBlockDisablesLogin = true; + $wgEmailConfirmToEdit causes the wiki to be inaccessible for anonymous users to $wgBlockDisablesLogin = true; + $wgEmailConfirmToEdit true; causes the wiki to be inaccessible for anonymous users.Aug 26 2016, 4:04 PM
Kghbln renamed this task from $wgBlockDisablesLogin = true; + $wgEmailConfirmToEdit true; causes the wiki to be inaccessible for anonymous users to $wgBlockDisablesLogin = true; + $wgEmailConfirmToEdit = true; causes the wiki to be inaccessible for anonymous users.
Bawolff added a comment.Aug 26 2016, 9:55 PM

So backports to REL1_23 and REL1_26 are needed too.

Agreed. I marked it as blocking the 1.27.2 task, which should also ensure its appropriately backported (You probably can't see that task as 1.27.2 is primarily security related, so the tracker bug is in the "secret" security section, so it doesn't show up on the normal list)

Reedy mentioned this in T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.Mar 20 2017, 12:04 AM
Reedy subscribed.Mar 20 2017, 2:56 AM

Patch causes test failures :(

Reedy removed a parent task: T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.Mar 30 2017, 5:54 PM
Kghbln added a comment.Apr 12 2017, 10:58 PM

Pretty sad. I now waited eight months for the fix with the new release and now learn that it is still broken. I figured that the patch got merged. :( I have a wiki at hand that uses $wgWhitelistRead for a couple of pages ...

Kghbln added a project: MW-1.27-release.Apr 16 2017, 7:22 AM

I was bold and added MW-1.27 again hoping that will help the cause. Keeping the spirit of hope here.

Kghbln mentioned this in T177949: Extension:Sudo cannot "return to your account" for a blocked account.Dec 11 2017, 1:09 PM
Krinkle added a project: MW-1.31-release.Apr 18 2018, 12:16 AM
Krinkle subscribed.

Re-tagging open task for prev LTS with upcoming LTS tag.

Krinkle moved this task from Backlog to Core on the MW-1.31-release board.Apr 18 2018, 6:08 PM
gerritbot added a comment.Jun 12 2018, 12:26 AM

Change 306863 merged by jenkins-bot:
[mediawiki/core@master] Make $wgEmailConfirmToEdit only affect edit actions.

https://gerrit.wikimedia.org/r/306863

gerritbot added a comment.Jun 12 2018, 12:37 AM

Change 439800 had a related patch set uploaded (by Legoktm; owner: Brian Wolff):
[mediawiki/core@REL1_31] Make $wgEmailConfirmToEdit only affect edit actions.

https://gerrit.wikimedia.org/r/439800

gerritbot added a comment.Jun 12 2018, 12:38 AM

Change 439801 had a related patch set uploaded (by Legoktm; owner: Brian Wolff):
[mediawiki/core@REL1_27] Make $wgEmailConfirmToEdit only affect edit actions.

https://gerrit.wikimedia.org/r/439801

gerritbot added a comment.Jun 12 2018, 12:49 AM

Change 439800 merged by jenkins-bot:
[mediawiki/core@REL1_31] Make $wgEmailConfirmToEdit only affect edit actions.

https://gerrit.wikimedia.org/r/439800

ReleaseTaggerBot added projects: MW-1.31-release-notes, MW-1.32-notes (WMF-deploy-2018-06-12 (1.32.0-wmf.8)).Jun 12 2018, 1:00 AM
gerritbot added a comment.Jun 12 2018, 1:15 AM

Change 439812 had a related patch set uploaded (by Legoktm; owner: Brian Wolff):
[mediawiki/core@REL1_30] Make $wgEmailConfirmToEdit only affect edit actions.

https://gerrit.wikimedia.org/r/439812

gerritbot added a comment.Jun 12 2018, 1:16 AM

Change 439813 had a related patch set uploaded (by Legoktm; owner: Brian Wolff):
[mediawiki/core@REL1_29] Make $wgEmailConfirmToEdit only affect edit actions.

https://gerrit.wikimedia.org/r/439813

Legoktm added projects: MW-1.29-release, MW-1.30-release.Jun 12 2018, 1:20 AM
gerritbot added a comment.Jun 12 2018, 1:41 AM

Change 439801 merged by jenkins-bot:
[mediawiki/core@REL1_27] Make $wgEmailConfirmToEdit only affect edit actions.

https://gerrit.wikimedia.org/r/439801

gerritbot added a comment.Jun 12 2018, 1:41 AM

Change 439812 merged by jenkins-bot:
[mediawiki/core@REL1_30] Make $wgEmailConfirmToEdit only affect edit actions.

https://gerrit.wikimedia.org/r/439812

gerritbot added a comment.Jun 12 2018, 1:41 AM

Change 439813 merged by jenkins-bot:
[mediawiki/core@REL1_29] Make $wgEmailConfirmToEdit only affect edit actions.

https://gerrit.wikimedia.org/r/439813

Legoktm closed this task as Resolved.Jun 12 2018, 1:57 AM
Legoktm claimed this task.
Legoktm subscribed.

Merged and backported to all supported stable releases.

ReleaseTaggerBot added projects: MW-1.30-release-notes, MW-1.29-release-notes, MW-1.27-release-notes.Jun 12 2018, 2:00 AM
Kghbln added a comment.Jun 12 2018, 6:55 AM
In T143790#4274369, @Legoktm wrote:

Merged and backported to all supported stable releases.

Awesome! Thanks a ton!

Toniher subscribed.Jun 12 2018, 12:59 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:34 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits