Page MenuHomePhabricator
Authored By
sbassett
Apr 5 2021, 9:05 PM
Size
1 KB
Referenced Files
None
Subscribers
None

01-T270453.patch

From 6299689c4f7037c282143cdc3330db96efc895e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bartosz=20Dziewo=C5=84ski?= <matma.rex@gmail.com>
Date: Mon, 5 Apr 2021 15:39:17 -0500
Subject: [PATCH] SECURITY: Act like users don't exist if hidden from viewer
(VE edit notices)
Applying the changes from the MediaWiki core patch for T120883
(Ife272a0eb1f3322bc8eb30ca803bd21801acba3e) to our duplicated
code implementing the same functionality.
Bug: T270453
---
includes/ApiVisualEditor.php | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/includes/ApiVisualEditor.php b/includes/ApiVisualEditor.php
index 92bbb77dd..c98d0c90d 100644
--- a/includes/ApiVisualEditor.php
+++ b/includes/ApiVisualEditor.php
@@ -396,10 +396,15 @@ class ApiVisualEditor extends ApiBase {
);
$block = $targetUser->getBlock();
- if (
- !( $targetUser && $targetUser->isRegistered() ) &&
- !$this->userNameUtils->isIP( $targetUsername )
+ $targetUserExists = ( $targetUser && $targetUser->isRegistered() );
+ if ( $targetUserExists && $targetUser->isHidden() &&
+ !$permissionManager->userHasRight( $user, 'hideuser' )
) {
+ // If the user exists, but is hidden, and the viewer cannot see hidden
+ // users, pretend like they don't exist at all. See T120883/T270453
+ $targetUserExists = false;
+ }
+ if ( !$targetUserExists && !User::isIP( $targetUsername ) ) {
// User does not exist
$notices['userpage-userdoesnotexist'] = "<div class=\"mw-userpage-userdoesnotexist error\">\n" .
$this->msg( 'userpage-userdoesnotexist', wfEscapeWikiText( $targetUsername ) )
--
2.30.2

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8968039
Default Alt Text
01-T270453.patch (1 KB)

Event Timeline