[Fusionforge-commits] FusionForge branch Branch_5_1 updated. c8654169d6f8d4b79b63ff47e8ce9a21a267b404

Thorsten Glaser mirabilos at fusionforge.org
Mon Dec 22 14:44:30 CET 2014


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "FusionForge".

The branch, Branch_5_1 has been updated
       via  c8654169d6f8d4b79b63ff47e8ce9a21a267b404 (commit)
       via  9d5421b3bff4a6e6eb6960101c6a748b3c945260 (commit)
      from  ee051b8230b9db1e511ce94364488de81e767089 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c8654169d6f8d4b79b63ff47e8ce9a21a267b404
Author: Thorsten Glaser <t.glaser at tarent.de>
Date:   Mon Dec 22 14:43:45 2014 +0100

    SECURITY: (critical) do not use cached permission values from roles
    that had once been linked to a group but later unlinked – only use
    external roles that actually are used by the project right now to
    determine mediawiki access levels

diff --git a/src/plugins/mediawiki/www/LocalSettings.php b/src/plugins/mediawiki/www/LocalSettings.php
index a455f98..b2cd2fd 100644
--- a/src/plugins/mediawiki/www/LocalSettings.php
+++ b/src/plugins/mediawiki/www/LocalSettings.php
@@ -220,15 +220,23 @@ function FusionForgeMWAuth( $user, &$result ) {
 }
 
 function SetupPermissionsFromRoles () {
-	global $fusionforgeproject, $wgGroupPermissions ;
+	global $fusionforgeproject, $wgGroupPermissions, $unused_external_roles;
 
 	$g = group_get_object_by_name ($fusionforgeproject) ;
 	// Setup rights for all roles referenced by project
 	$rids = $g->getRolesID() ;
 	$e = RBACEngine::getInstance();
 	$grs = $e->getGlobalRoles();
+	forge_cache_external_roles($g);
+	$skiproles = array();
+	foreach ($unused_external_roles as $r) {
+		$skiproles[$r->getID()] = true;
+	}
 	foreach ($grs as $r) {
-		$rids[] = $r->getID();
+		$rid = $r->getID();
+		if (!isset($skiproles[$rid])) {
+			$rids[] = $rid;
+		}
 	}
 	$rids = array_unique($rids);
 	$rs = array();

commit 9d5421b3bff4a6e6eb6960101c6a748b3c945260
Author: Thorsten Glaser <t.glaser at tarent.de>
Date:   Mon Dec 22 14:41:46 2014 +0100

    SECURITY: (moderate) zero out all implicit mediawiki permissions, too
    
    note that we still explicitly set some to false if they were unset,
    but now we also explicitly set those that were set to false

diff --git a/src/plugins/mediawiki/www/LocalSettings.php b/src/plugins/mediawiki/www/LocalSettings.php
index d0c6a61..a455f98 100644
--- a/src/plugins/mediawiki/www/LocalSettings.php
+++ b/src/plugins/mediawiki/www/LocalSettings.php
@@ -338,10 +338,17 @@ $GLOBALS['wgHooks']['UserLoadFromSession'][]='FusionForgeMWAuth';
 
 $zeroperms = array ('read', 'writeapi', 'edit', 'move-subpages', 'move-rootuserpages', 'reupload-shared', 'createaccount');
 
+/* explicitly zero these mediawiki permissions */
 foreach ($zeroperms as $i) {
 	$wgGroupPermissions['user'][$i] = false;
 	$wgGroupPermissions['*'][$i] = false;
 }
+/* zero all permissions implicitly set by mediawiki already */
+foreach ($wgGroupPermissions as $kg => $vg) {
+	foreach ($vg as $kp => $vp) {
+		$wgGroupPermissions[$kg][$kp] = false;
+	}
+}
 
 SetupPermissionsFromRoles();
 

-----------------------------------------------------------------------

Summary of changes:
 src/plugins/mediawiki/www/LocalSettings.php |   19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)


hooks/post-receive
-- 
FusionForge



More information about the Fusionforge-commits mailing list