Page MenuHomePhabricator
Files F33947153

T120883-v9-REL1_31.patch
Reedy (Sam Reed)
Actions

Authored By
Reedy
Dec 16 2020, 2:00 PM
Size
1 KB
Referenced Files
None
Subscribers
None

T120883-v9-REL1_31.patch
View Options

From 266ce5e15a0c7aa1bb2a0a33a77e8130390602d3 Mon Sep 17 00:00:00 2001
From: DannyS712 <dannys712.enwiki@gmail.com>
Date: Wed, 16 Dec 2020 13:59:03 +0000
Subject: [PATCH] SECURITY: Act like users don't exist if hidden from viewer
When viewing Special:Contributions for a hidden user and
a missing user, or the user page of a hidden user and a
missing user, if the viewer cannot see hidden users
the output should be the same for hidden users and
missing users.
To that end
* In EditPage.php, for users that exist but are hidden from the
viewer, do show `userpage-userdoesnotexist` and do not show
an excerpt from the block log.
Bug: T120883
Change-Id: I85a446afc77ce9bcba0395f7d66c2792d0abf2f8
---
includes/EditPage.php | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/includes/EditPage.php b/includes/EditPage.php
index 5c37c42591..1d19123b3f 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -2513,7 +2513,15 @@ ERROR;
$user = User::newFromName( $username, false /* allow IP users */ );
$ip = User::isIP( $username );
$block = Block::newFromTarget( $user, $user );
- if ( !( $user && $user->isLoggedIn() ) && !$ip ) { # User does not exist
+
+ $userExists = ( $user && $user->isLoggedIn() );
+ if ( $userExists && $user->isHidden() && !$this->context->getUser()->isAllowed( 'hideuser' ) ) {
+ // If the user exists, but is hidden, and the viewer cannot see hidden
+ // users, pretend like they don't exist at all. See T120883
+ $userExists = false;
+ }
+
+ if ( !$userExists && !$ip ) { # User does not exist
$out->wrapWikiMsg( "<div class=\"mw-userpage-userdoesnotexist error\">\n$1\n</div>",
[ 'userpage-userdoesnotexist', wfEscapeWikiText( $username ) ] );
} elseif ( !is_null( $block ) && $block->getType() != Block::TYPE_AUTO ) {
--
2.25.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8802941
Default Alt Text
T120883-v9-REL1_31.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits