mediawiki: Don't allow anonymous edits

When private mode is turned on and off, a setting to allow anonymous editing is being written. This turns on anonymous editing on the wiki. To fix, drop the code that adds anonymous editing line and implement migration from older settings to newer settings. Closes: #1783. Tests performed: - Install mediawiki with current master. Private mode is disabled by default. Anonymous users can't edit. There is a line for editing set to false in FreedomBoxSettings.php configuration file. Switch to latest code. The line should be removed. private mode is still disabled. Anonymous users should not be able to edit the wiki. - Install mediawiki with current master. Enable private mode. Anonymous users can't edit, login is required to view wiki. There is a line for editing set to false in FreedomBoxSettings.php configuration file. Switch to latest code. The line should be removed. private mode is still enabled. Anonymous users should not be able to edit the wiki. Login is required to view the wiki. - Install mediawiki with current master. Enable private mode and disable it. Anonymous users can edit the wiki. There is a line for editing set to true in FreedomBoxSettings.php configuration file. Switch to latest code. The line should be removed. private mode is still disabled. Anonymous users should not be able to edit the wiki but they can read the wiki. - Install mediawiki with the changes in the branch. Line for editing the wiki is not present in FreedomBoxSettings.php configuration file. Enabling/disabling the private mode does not introduce the line either. When private mode is enabled, login is required to read/edit the wiki. When it is disabled, anonymous users can read the wiki but not edit it. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2026-01-21 07:55:00 +00:00 · 2020-03-17 23:59:41 -07:00 · 2020-03-17 23:59:41 -07:00 · cf7cacb575
commit cf7cacb575
parent 6c73b18d7f
2 changed files with 20 additions and 12 deletions
--- a/actions/mediawiki
+++ b/actions/mediawiki
@ -73,6 +73,7 @@ def subcommand_setup(_):
    subprocess.run(['chmod', '-R', 'o-rwx', data_dir], check=True)
    subprocess.run(['chown', '-R', 'www-data:www-data', data_dir], check=True)
    include_custom_config()
+    _fix_non_private_mode()


 def include_custom_config():
@ -102,6 +103,21 @@ def include_custom_config():
        conf_file.writelines(lines)


+def _fix_non_private_mode():
+    """Drop the line that allows editing by anonymous users.
+
+    Remove this fix after the release of Debian 11.
+
+    """
+    with open(CONF_FILE, 'r') as conf_file:
+        lines = conf_file.readlines()
+
+    with open(CONF_FILE, 'w') as conf_file:
+        for line in lines:
+            if not line.startswith("$wgGroupPermissions['*']['edit']"):
+                conf_file.write(line)
+
+
 def subcommand_change_password(arguments):
    """Change the password for a given user"""
    new_password = ''.join(sys.stdin)
@ -154,34 +170,26 @@ def subcommand_private_mode(arguments):
    with open(CONF_FILE, 'r') as conf_file:
        lines = conf_file.readlines()

-    def is_edit_line(line):
-        return line.startswith("$wgGroupPermissions['*']['edit']")
-
    def is_read_line(line):
        return line.startswith("$wgGroupPermissions['*']['read']")

-    edit_conf_lines = list(filter(is_edit_line, lines))
    read_conf_lines = list(filter(is_read_line, lines))
    if arguments.command == 'status':
-        if edit_conf_lines and read_conf_lines:
-            print('enabled' if ('false' in read_conf_lines[0]) and (
-                'false' in edit_conf_lines[0]) else 'disabled')
+        if read_conf_lines and 'false' in read_conf_lines[0]:
+            print('enabled')
        else:
            print('disabled')
    else:
        with open(CONF_FILE, 'w') as conf_file:
            conf_value = 'false;' if arguments.command == 'enable' else 'true;'
            for line in lines:
-                if is_edit_line(line) or is_read_line(line):
+                if is_read_line(line):
                    words = line.split()
                    words[-1] = conf_value
                    conf_file.write(" ".join(words) + '\n')
                else:
                    conf_file.write(line)

-            if not edit_conf_lines:
-                conf_file.write("$wgGroupPermissions['*']['edit'] = " +
-                                conf_value + '\n')
            if not read_conf_lines:
                conf_file.write("$wgGroupPermissions['*']['read'] = " +
                                conf_value + '\n')
--- a/plinth/modules/mediawiki/init.py
+++ b/plinth/modules/mediawiki/init.py
@ -16,7 +16,7 @@ from plinth.modules.firewall.components import Firewall

 from .manifest import backup, clients  # noqa, pylint: disable=unused-import

-version = 7
+version = 8

 managed_packages = ['mediawiki', 'imagemagick', 'php-sqlite3']