⚓ T10796 Semi-protection should not cascade
Page MenuHomePhabricator
Create Task
Maniphest T10796

Semi-protection should not cascade
Closed, ResolvedPublic
Actions

Description

David Levy said on https://en.wikipedia.org/wiki/Wikipedia:Village_pump_(proposals)/Archive_AD#Salted_pages:

I'm surprised to learn that cascading semi-protection is possible, as this enables anyone with a non-new account to semi-protect pages. That's a far worse problem than the display of that message (which would require developer intervention to change) and I don't believe that cascading semi-protection should ever be applied for any reason. In my opinion, it should be formally prohibited via the protection policy. —David Levy 18:34, 27 January 2007 (UTC)

In fact, the situation is far worse, since when semi-protection cascades it becomes full (per T10658). Thus, users can full-protect arbitrary pages by editing a semi-protected page with cascade enabled.

The only reasonable solution I see is to disable cascade completely for semi-protected pages.

Details

Reference
bz8796

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedNoneT10575 Cascading Page Protection (tracking)
 ResolvedNoneT10796 Semi-protection should not cascade

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:33 PM
bzimport added a project: MediaWiki-Page-editing.
bzimport set Reference to bz8796.
bzimport added a subscriber: Unknown Object (MLST).
Mattflaschen-WMF created this task.Jan 27 2007, 8:15 PM
bzimport added a comment.Jan 29 2007, 1:04 AM

ayg wrote:

Workaround: don't cascade semi-protected pages until this is fixed. It might be advisable to add
this as a note to the system message for now.

I agree that there's not any mileage in allowing cascading semi-protects at all. It's only a tool
to prevent casual vandalism in the first place, so it's no big deal if someone can avoid it by going
to a little trouble.

Mattflaschen-WMF added a comment.Jan 29 2007, 2:34 AM

Good idea. Ixfd64 put such a warning, and I made it more forceful.

Mattflaschen-WMF added a comment.Jan 29 2007, 3:07 AM

How is this just an enhancement? It seems like a privilege escalation
vulnerability to me.

bzimport added a comment.Jan 29 2007, 3:44 AM

thekid7590 wrote:

I changed to major, seems more like that to me.

bzimport added a comment.Mar 14 2007, 7:14 PM

titoxd.wikimedia wrote:

And this was reported on Wikizine:

http://en.wikizine.org/2007/03/year-2007-week-11-number-64.html

Great, so everyone knows about it now, and everyone can exploit it. Recommend
raising priority.

brooke added a comment.Mar 14 2007, 7:36 PM

(Note that this isn't really a privilege escalation, since you doesn't let you
_do_ new things; at worst it blocks anonymous editing to more pages than were
asked. It cannot, for instance, allow you to edit pages you weren't supposed to
be able to.)

aaron added a comment.Mar 14 2007, 7:44 PM

Fixed in r20461. Cascade only applies if all the protection types are set to
groups that can "protect".

bzimport added a comment.Mar 15 2007, 5:03 PM

robchur wrote:

(In reply to comment #5)

And this was reported on Wikizine:

Some people have absolutely no sense of responsibility.

bzimport added a comment.Mar 19 2007, 11:20 AM

walter wrote:

This is not a matter of irresponsibility but of informing the users. The possibility
of abuse by this function was limited. For sysops to know how to solve problems the
need to know how things work so you know for what to look to solve a problem.

Awesome_Aasim subscribed.Apr 25 2017, 5:08 PM
This comment was removed by Awesome_Aasim.
IKhitron mentioned this in T195249: Allow cascade semi-protection or different protection levels for root page and cascade transclusions.May 21 2018, 12:34 PM
LD mentioned this in T334155: frwiki : autopatrolled level cascading protection.Apr 5 2023, 11:51 PM
Tacsipacsi updated the task description. (Show Details)Apr 12 2024, 8:07 AM
Tacsipacsi edited subscribers, added: Tacsipacsi; removed: wikibugs-l-list.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits