Page MenuHomePhabricator
Files F34251703

01-T270453-REL1_31.patch
Reedy (Sam Reed)
Actions

Authored By
Reedy
Apr 5 2021, 12:10 AM
Size
1 KB
Referenced Files
None
Subscribers
None

01-T270453-REL1_31.patch
View Options

From 93dbd12a600ccd81a8dc38bf4eace3f6857bc49f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bartosz=20Dziewo=C5=84ski?= <matma.rex@gmail.com>
Date: Fri, 18 Dec 2020 16:47:05 +0100
Subject: [PATCH] SECURITY: Act like users don't exist if hidden from viewer
(VE edit notices)
Applying the changes from the MediaWiki core patch for T120883
(Ife272a0eb1f3322bc8eb30ca803bd21801acba3e) to our duplicated
code implementing the same functionality.
Bug: T270453
Change-Id: I1b2de322aa0c69eb6d3b3ffadaed3fbaa3a58bca
---
includes/ApiVisualEditor.php | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/includes/ApiVisualEditor.php b/includes/ApiVisualEditor.php
index 08410adb4..32457c3ff 100644
--- a/includes/ApiVisualEditor.php
+++ b/includes/ApiVisualEditor.php
@@ -485,10 +485,15 @@ class ApiVisualEditor extends ApiBase {
/* allow IP users*/ false
);
- if (
- !( $targetUser && $targetUser->isLoggedIn() ) &&
- !User::isIP( $targetUsername )
+ $targetUserExists = ( $targetUser && $targetUser->isLoggedIn() );
+ if ( $targetUserExists && $targetUser->isHidden() &&
+ !$user->isAllowed( 'hideuser' )
) {
+ // If the user exists, but is hidden, and the viewer cannot see hidden
+ // users, pretend like they don't exist at all. See T120883/T270453
+ $targetUserExists = false;
+ }
+ if ( !$targetUserExists && !User::isIP( $targetUsername ) ) {
// User does not exist
$notices[] = "<div class=\"mw-userpage-userdoesnotexist error\">\n" .
$this->msg( 'userpage-userdoesnotexist', wfEscapeWikiText( $targetUsername ) ) .
--
2.27.0

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8965931
Default Alt Text
01-T270453-REL1_31.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits