mirror of
https://gerrit.wikimedia.org/r/mediawiki/extensions/TitleBlacklist
synced 2024-09-23 10:18:34 +00:00
Declare grant risk levels
createaccount is a core grant which by default isn't really sensitive, but TitleBlacklist adds tboverride-account which can be used for social engineering. Using MediaWikiServices to change configuration is not great, but it's the least bad option available today - other hooks run too late, and the extension registry doesn't support extensions overriding core values. Bug: T290790 Depends-On: Ib7a195c167f82e686c4ede45388957f9988bf75d Change-Id: I2d20190266e4094449b5857b88f962a444c2f9b5
This commit is contained in:
parent
84bd6740cc
commit
2b7633219b
|
@ -77,6 +77,7 @@
|
|||
"localBasePath": "modules",
|
||||
"remoteExtPath": "TitleBlacklist/modules"
|
||||
},
|
||||
"callback": "MediaWiki\\Extension\\TitleBlacklist\\Hooks::onRegistration",
|
||||
"Hooks": {
|
||||
"getUserPermissionsErrorsExpensive": "TitleBlacklistHookHandler",
|
||||
"TitleGetEditNotices": "TitleBlacklistHookHandler",
|
||||
|
|
|
@ -16,6 +16,7 @@ use MediaWiki\Hook\EditFilterHook;
|
|||
use MediaWiki\Hook\MovePageCheckPermissionsHook;
|
||||
use MediaWiki\Hook\TitleGetEditNoticesHook;
|
||||
use MediaWiki\Html\Html;
|
||||
use MediaWiki\Permissions\GrantsInfo;
|
||||
use MediaWiki\Permissions\Hook\GetUserPermissionsErrorsExpensiveHook;
|
||||
use MediaWiki\Revision\RevisionRecord;
|
||||
use MediaWiki\Status\Status;
|
||||
|
@ -42,6 +43,16 @@ class Hooks implements
|
|||
PageSaveCompleteHook
|
||||
{
|
||||
|
||||
public static function onRegistration() {
|
||||
global $wgGrantRiskGroups;
|
||||
// Make sure the risk rating is at least 'security'. TitleBlacklist adds the
|
||||
// tboverride-account right to the createaccount grant, which makes it possible
|
||||
// to use it for social engineering attacks with restricted usernames.
|
||||
if ( $wgGrantRiskGroups['createaccount'] !== GrantsInfo::RISK_INTERNAL ) {
|
||||
$wgGrantRiskGroups['createaccount'] = GrantsInfo::RISK_SECURITY;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* getUserPermissionsErrorsExpensive hook
|
||||
*
|
||||
|
|
Loading…
Reference in a new issue