T279090-PS4.patch
sbassett (Scott Bassett)
Actions

Authored By

	sbassett
	Apr 6 2021, 8:07 PM

Size

1 KB

Referenced Files

None

Subscribers

None

T279090-PS4.patch
View Options

	From 4ed64aa258dc55ba9d9b77b0fcb8a379bee5d1e3 Mon Sep 17 00:00:00 2001
	From: RhinosF1 <rhinosf1@gmail.com>
	Date: Thu, 1 Apr 2021 22:56:49 +0100
	Subject: [PATCH] SECURITY: Check permissions before job execution

	---
	src/ReplaceTextJob.php \| 11 ++++++++++-
	1 file changed, 10 insertions(+), 1 deletion(-)

	diff --git a/src/ReplaceTextJob.php b/src/ReplaceTextJob.php
	index a52b565..bc01f68 100644
	--- a/src/ReplaceTextJob.php
	+++ b/src/ReplaceTextJob.php
	@@ -20,6 +20,7 @@
	* @author Ankit Garg
	*/

	+use MediaWiki\MediaWikiServices;
	use Wikimedia\ScopedCallback;

	/**
	@@ -41,6 +42,15 @@ class ReplaceTextJob extends Job {
	* @return bool success
	*/
	function run() {
	+ // T279090
	+ $current_user = User::newFromId( $this->params['user_id'] );
	+ $permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
	+ if ( !$permissionManager->userCan(
	+ 'replacetext', $currentuser, $this->title
	+ ) ) {
	+ $this->error('replacetext: permission no longer valid')
	+ return false;
	+ }
	if ( isset( $this->params['session'] ) ) {
	$callback = RequestContext::importScopedSession( $this->params['session'] );
	$this->addTeardownCallback( function () use ( &$callback ) {
	@@ -54,7 +64,6 @@ class ReplaceTextJob extends Job {
	}

	if ( array_key_exists( 'move_page', $this->params ) ) {
	- $current_user = User::newFromId( $this->params['user_id'] );
	$new_title = ReplaceTextSearch::getReplacedTitle(
	$this->title,
	$this->params['target_str'],
	--
	2.30.2