From 383c2060644643adb4aca8f69fba62d75e80ce5a Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Tue, 18 Nov 2014 15:37:14 -0800
Subject: [PATCH] SECURITY: Require new right to change content model

Add the user right 'editcontentmodel', which is required to change the
content model while editing a Page.

Bug: 70901
Change-Id: I54f59539f1045092ec0de76c31cb47ca19c56874
---
 includes/EditPage.php        | 18 ++++++++++++++++++
 includes/User.php            |  1 +
 includes/api/ApiBase.php     |  4 ++++
 includes/api/ApiEditPage.php |  3 +++
 languages/i18n/en.json       |  2 ++
 languages/i18n/qqq.json      |  2 ++
 6 files changed, 30 insertions(+)

diff --git a/includes/EditPage.php b/includes/EditPage.php
index d106da2..e51999d 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -145,6 +145,12 @@ class EditPage {
 	const AS_IMAGE_REDIRECT_LOGGED = 234;
 
 	/**
+	 * Status: user tried to modify the content model, but is not allowed to do that
+	 * ( User::isAllowed('editcontentmodel') == false )
+	 */
+	const AS_NO_CHANGE_CONTENT_MODEL = 235;
+
+	/**
 	 * Status: can't parse content
 	 */
 	const AS_PARSE_ERROR = 240;
@@ -1384,6 +1390,9 @@ class EditPage {
 				$permission = $this->mTitle->isTalkPage() ? 'createtalk' : 'createpage';
 				throw new PermissionsError( $permission );
 
+			case self::AS_NO_CHANGE_CONTENT_MODEL:
+				throw new PermissionsError( 'editcontentmodel' );
+
 			default:
 				// We don't recognize $status->value. The only way that can happen
 				// is if an extension hook aborted from inside ArticleSave.
@@ -1645,6 +1654,15 @@ class EditPage {
 			}
 		}
 
+		if ( $this->contentModel !== $this->mTitle->getContentModel()
+			&& !$wgUser->isAllowed( 'editcontentmodel' )
+		) {
+			$status->setResult( false, self::AS_NO_CHANGE_CONTENT_MODEL );
+			wfProfileOut( __METHOD__ . '-checks' );
+			wfProfileOut( __METHOD__ );
+			return $status;
+		}
+
 		if ( wfReadOnly() ) {
 			$status->fatal( 'readonlytext' );
 			$status->value = self::AS_READ_ONLY_PAGE;
diff --git a/includes/User.php b/includes/User.php
index f9f4b6a..b12c1ae 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -112,6 +112,7 @@ class User implements IDBAccessObject {
 		'deletelogentry',
 		'deleterevision',
 		'edit',
+		'editcontentmodel',
 		'editinterface',
 		'editprotected',
 		'editmyoptions',
diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index 3f84f2a..edf71e3 100644
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -1638,6 +1638,10 @@ abstract class ApiBase extends ContextSource {
 			'code' => 'missingtitle',
 			'info' => "The article you tried to edit doesn't exist"
 		),
+		'cantchangecontentmodel' => array(
+			'code' => 'cantchangecontentmodel',
+			'info' => "You don't have permission to change the content model of a page"
+		),
 		'nosuchrcid' => array(
 			'code' => 'nosuchrcid',
 			'info' => "There is no change with rcid \"\$1\""
diff --git a/includes/api/ApiEditPage.php b/includes/api/ApiEditPage.php
index 269b016..c1598c8 100644
--- a/includes/api/ApiEditPage.php
+++ b/includes/api/ApiEditPage.php
@@ -445,6 +445,9 @@ class ApiEditPage extends ApiBase {
 			case EditPage::AS_NO_CREATE_PERMISSION:
 				$this->dieUsageMsg( 'nocreate-loggedin' );
 
+			case EditPage::AS_NO_CHANGE_CONTENT_MODEL:
+				$this->dieUsageMsg( 'cantchangecontentmodel' );
+
 			case EditPage::AS_BLANK_ARTICLE:
 				$this->dieUsageMsg( 'blankpage' );
 
diff --git a/languages/i18n/en.json b/languages/i18n/en.json
index 45c7105..24bd65d 100644
--- a/languages/i18n/en.json
+++ b/languages/i18n/en.json
@@ -1108,6 +1108,7 @@
 	"right-protect": "Change protection levels and edit cascade-protected pages",
 	"right-editprotected": "Edit pages protected as \"{{int:protect-level-sysop}}\"",
 	"right-editsemiprotected": "Edit pages protected as \"{{int:protect-level-autoconfirmed}}\"",
+	"right-editcontentmodel": "Edit the content model of a page",
 	"right-editinterface": "Edit the user interface",
 	"right-editusercssjs": "Edit other users' CSS and JavaScript files",
 	"right-editusercss": "Edit other users' CSS files",
@@ -1180,6 +1181,7 @@
 	"action-viewmywatchlist": "view your watchlist",
 	"action-viewmyprivateinfo": "view your private information",
 	"action-editmyprivateinfo": "edit your private information",
+	"action-editcontentmodel": "edit the content model of a page",
 	"nchanges": "$1 {{PLURAL:$1|change|changes}}",
 	"enhancedrc-since-last-visit": "$1 {{PLURAL:$1|since last visit}}",
 	"enhancedrc-history": "history",
diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json
index 9b09078..f0ff5b0 100644
--- a/languages/i18n/qqq.json
+++ b/languages/i18n/qqq.json
@@ -1272,6 +1272,7 @@
 	"right-protect": "{{doc-right|protect}}",
 	"right-editprotected": "{{doc-right|editprotected}}\nRefers to {{msg-mw|Protect-level-sysop}}.\n\nSee also:\n* {{msg-mw|Right-editsemiprotected}}",
 	"right-editsemiprotected": "{{doc-right|editsemiprotected}}\nRefers to {{msg-mw|Protect-level-autoconfirmed}}.\n\nSee also:\n* {{msg-mw|Right-editprotected}}",
+	"right-editcontentmodel": "{{doc-right|editcontentmodel}}",
 	"right-editinterface": "{{doc-right|editinterface}}",
 	"right-editusercssjs": "{{doc-right|editusercssjs}}",
 	"right-editusercss": "{{doc-right|editusercss}}\nSee also:\n* {{msg-mw|Right-editmyusercss}}",
@@ -1344,6 +1345,7 @@
 	"action-viewmywatchlist": "{{doc-action|viewmywatchlist}}\n{{Identical|View your watchlist}}",
 	"action-viewmyprivateinfo": "{{doc-action|viewmyprivateinfo}}",
 	"action-editmyprivateinfo": "{{doc-action|editmyprivateinfo}}",
+	"action-editcontentmodel": "{{doc-action|editcontentmodel}}",
 	"nchanges": "Appears on enhanced watchlist and recent changes when page has more than one change on given date, linking to a diff of the changes.\n\nParameters:\n* $1 - the number of changes on that day (2 or more)\nThree messages are shown side-by-side: ({{msg-mw|Nchanges}} | {{msg-mw|Enhancedrc-since-last-visit}} | {{msg-mw|Enhancedrc-history}}).",
 	"enhancedrc-since-last-visit": "Appears on enhanced watchlist and recent changes when page has more than one change on given date and at least one that the user hasn't seen yet, linking to a diff of the unviewed changes.\n\nParameters:\n* $1 - the number of unviewed changes (1 or more)\nThree messages are shown side-by-side: ({{msg-mw|nchanges}} | {{msg-mw|enhancedrc-since-last-visit}} | {{msg-mw|enhancedrc-history}}).",
 	"enhancedrc-history": "Appears on enhanced watchlist and recent changes when page has more than one change on given date, linking to its history.\n\nThis is the same as {{msg-mw|hist}}, but not abbreviated.\n\nThree messages are shown side-by-side: ({{msg-mw|nchanges}} | {{msg-mw|enhancedrc-since-last-visit}} | {{msg-mw|enhancedrc-history}}).\n{{Identical|History}}",
-- 
1.8.4.5