Page MenuHomePhabricator

bug72222b.patch

Authored By
bzimport
Nov 22 2014, 3:48 AM
Size
2 KB
Referenced Files
None
Subscribers
None

bug72222b.patch

From 06798f3f5f9d3c7a206830dffcbdf3b2beec38e5 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Wed, 29 Oct 2014 08:41:20 -0700
Subject: [PATCH] SECURITY: Do not show log action if revdeleted
Also do not include revdeleted entries in search results when
filtering by action if user cannot view that info.
Bug: 72222
Change-Id: I9f331c421c55323018765456d6a99229e1fff592
---
includes/api/ApiQueryLogEvents.php | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/includes/api/ApiQueryLogEvents.php b/includes/api/ApiQueryLogEvents.php
index eb5ca4f..0c14b78 100644
--- a/includes/api/ApiQueryLogEvents.php
+++ b/includes/api/ApiQueryLogEvents.php
@@ -200,7 +200,8 @@ class ApiQueryLogEvents extends ApiQueryBase {
}
// Paranoia: avoid brute force searches (bug 17342)
- if ( $params['namespace'] !== null || !is_null( $title ) || !is_null( $user ) ) {
+ $hideActions = $params['namespace'] !== null || !is_null( $title ) || !is_null( $params['action'] );
+ if ( $hideActions || !is_null( $user ) ) {
if ( !$this->getUser()->isAllowed( 'deletedhistory' ) ) {
$titleBits = LogPage::DELETED_ACTION;
$userBits = LogPage::DELETED_USER;
@@ -211,7 +212,7 @@ class ApiQueryLogEvents extends ApiQueryBase {
$titleBits = 0;
$userBits = 0;
}
- if ( ( $params['namespace'] !== null || !is_null( $title ) ) && $titleBits ) {
+ if ( $hideActions && $titleBits ) {
$this->addWhere( $db->bitAnd( 'log_deleted', $titleBits ) . " != $titleBits" );
}
if ( !is_null( $user ) && $userBits ) {
@@ -372,12 +373,18 @@ class ApiQueryLogEvents extends ApiQueryBase {
$title = Title::makeTitle( $row->log_namespace, $row->log_title );
}
- if ( $this->fld_title || $this->fld_ids || $this->fld_details && $row->log_params !== '' ) {
+ if ( $this->fld_title || $this->fld_ids || $this->fld_type
+ || $this->fld_details && $row->log_params !== ''
+ ) {
if ( LogEventsList::isDeleted( $row, LogPage::DELETED_ACTION ) ) {
$vals['actionhidden'] = '';
$anyHidden = true;
}
if ( LogEventsList::userCan( $row, LogPage::DELETED_ACTION, $user ) ) {
+
+ if ( $this->fld_type ) {
+ $vals['action'] = $row->log_action;
+ }
if ( $this->fld_title ) {
ApiQueryBase::addTitleInfo( $vals, $title );
}
@@ -399,9 +406,8 @@ class ApiQueryLogEvents extends ApiQueryBase {
}
}
- if ( $this->fld_type || $this->fld_action ) {
+ if ( $this->fld_type ) {
$vals['type'] = $row->log_type;
- $vals['action'] = $row->log_action;
}
if ( $this->fld_user || $this->fld_userid ) {
--
1.8.4.5

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
14284
Default Alt Text
bug72222b.patch (2 KB)

Event Timeline