Split editcascadeprotected permission from protect permission

Currently, both permissions are summarised in the protect permission. This is
unadvantageous for wikis that want to split this permission, for example for the
main page: They don't want protection changes by non-sysop users there, but on
transcluded pages some less privileged users are allowed to edit. Currently,
it is impossible to divide these permissions in a clean way (they can add a hack
depnding on action parameter in LocalSettings.php right now). Furthermore, an
additional permission is no pain, because by default it is handled the same as
protect until now.

Note that for sakes of backwards compability I decided to handle editcascadeprotected
as a subset of protect instead of removing all permissions to edit cascadeprotected
pages (and change the cascade protection state of a page) for users who only have got
the protect permission. Furthermore a different model would raise some strange questions
about the behaivour of the protection form for users with protect, but no editcascadeprotected.

Bug: T101309
Change-Id: I0734d6c26e75d7d7c01cf9750ad0315dd2c85bef

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 5b3684b..0bc8ad7 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -4882,6 +4882,7 @@ $wgGroupPermissions['sysop']['move-categorypages'] = true;
 $wgGroupPermissions['sysop']['patrol'] = true;
 $wgGroupPermissions['sysop']['autopatrol'] = true;
 $wgGroupPermissions['sysop']['protect'] = true;
+$wgGroupPermissions['sysop']['editcascadeprotected'] = true;
 $wgGroupPermissions['sysop']['editprotected'] = true;
 $wgGroupPermissions['sysop']['rollback'] = true;
 $wgGroupPermissions['sysop']['upload'] = true;
@@ -5478,6 +5479,7 @@ $wgGrantPermissions['delete']['undelete'] = true;
 
 $wgGrantPermissions['protect'] = $wgGrantPermissions['editprotected'];
 $wgGrantPermissions['protect']['protect'] = true;
+$wgGrantPermissions['protect']['editcascadeprotected'] = true;
 
 $wgGrantPermissions['viewmywatchlist']['viewmywatchlist'] = true;
 

diff --git a/includes/Title.php b/includes/Title.php
index 7887890..9c9917a 100644 (file)
--- a/includes/Title.php
+++ b/includes/Title.php
@@ -2156,7 +2156,9 @@ class Title implements LinkTarget {
                        }
                        if ( !$user->isAllowed( $right ) ) {
                                $errors[] = [ 'protectedpagetext', $right, $action ];
-                       } elseif ( $this->mCascadeRestriction && !$user->isAllowed( 'protect' ) ) {
+                       } elseif ( $this->mCascadeRestriction &&
+                               !$user->isAllowedAny( 'editcascadeprotected', 'protect' ) )
+                       {
                                $errors[] = [ 'protectedpagetext', 'protect', $action ];
                        }
                }
@@ -2197,7 +2199,9 @@ class Title implements LinkTarget {
                                        if ( $right == 'autoconfirmed' ) {
                                                $right = 'editsemiprotected';
                                        }
-                                       if ( $right != '' && !$user->isAllowedAll( 'protect', $right ) ) {
+                                       if ( $right != '' && !$user->isAllowed( $right ) &&
+                                               !$user->isAllowedAny( 'editcascadeprotected', 'protect' ) )
+                                       {
                                                $pages = '';
                                                foreach ( $cascadingSources as $page ) {
                                                        $pages .= '* [[:' . $page->getPrefixedText() . "]]\n";

diff --git a/includes/user/User.php b/includes/user/User.php
index 7c32c3b..d473e70 100644 (file)
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -132,6 +132,7 @@ class User implements IDBAccessObject {
                'deletelogentry',
                'deleterevision',
                'edit',
+               'editcascadeprotected',
                'editcontentmodel',
                'editinterface',
                'editprotected',

diff --git a/languages/i18n/en.json b/languages/i18n/en.json
index aacf623..21088bd 100644 (file)
--- a/languages/i18n/en.json
+++ b/languages/i18n/en.json
@@ -1193,7 +1193,8 @@
        "right-hideuser": "Block a username, hiding it from the public",
        "right-ipblock-exempt": "Bypass IP blocks, auto-blocks and range blocks",
        "right-unblockself": "Unblock oneself",
-       "right-protect": "Change protection levels and edit cascade-protected pages",
+       "right-protect": "Change protection levels",
+       "right-editcascadeprotected": "Edit cascade-protected pages",
        "right-editprotected": "Edit pages protected as \"{{int:protect-level-sysop}}\"",
        "right-editsemiprotected": "Edit pages protected as \"{{int:protect-level-autoconfirmed}}\"",
        "right-editcontentmodel": "Edit the content model of a page",

diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json
index ddf544b..cbcfbfd 100644 (file)
--- a/languages/i18n/qqq.json
+++ b/languages/i18n/qqq.json
@@ -1372,6 +1372,7 @@
        "right-ipblock-exempt": "{{doc-right|ipblock-exempt}}\nThis user automatically bypasses IP blocks, auto-blocks and range blocks - so I presume - but I am uncertain",
        "right-unblockself": "{{doc-right|unblockself}}",
        "right-protect": "{{doc-right|protect}}",
+       "right-editcascadeprotected": "{{doc-right|editcascadeprotected}}",
        "right-editprotected": "{{doc-right|editprotected}}\nRefers to {{msg-mw|Protect-level-sysop}}.\n\nSee also:\n* {{msg-mw|Right-editsemiprotected}}",
        "right-editsemiprotected": "{{doc-right|editsemiprotected}}\nRefers to {{msg-mw|Protect-level-autoconfirmed}}.\n\nSee also:\n* {{msg-mw|Right-editprotected}}",
        "right-editcontentmodel": "{{doc-right|editcontentmodel}}",

diff --git a/tests/phpunit/includes/TitlePermissionTest.php b/tests/phpunit/includes/TitlePermissionTest.php
index 5ecdf56..18c6ee2 100644 (file)
--- a/tests/phpunit/includes/TitlePermissionTest.php
+++ b/tests/phpunit/includes/TitlePermissionTest.php
@@ -633,7 +633,7 @@ class TitlePermissionTest extends MediaWikiLangTestCase {
                        Title::makeTitle( NS_MAIN, "UnBogus" )
                ];
                $this->title->mCascadingRestrictions = [
-                       "bogus" => [ 'bogus', "sysop", "protect", "" ]
+                       "bogus" => [ 'bogus', "sysop", "editcascadeprotected", "protect", "" ]
                ];
 
                $this->assertEquals( false,