Page MenuHomePhabricator

0001-SECURITY-Act-like-users-don-t-exist-if-hidden-from-v.patch

Authored By
Zabe
Jun 20 2021, 5:01 PM
Size
1 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Act-like-users-don-t-exist-if-hidden-from-v.patch

From a32479cf562bdaca4988d48ec9a103d0eded4984 Mon Sep 17 00:00:00 2001
From: Alexander Vorwerk <alec@vc-celle.de>
Date: Sun, 20 Jun 2021 18:38:02 +0200
Subject: [PATCH] SECURITY: Act like users don't exist if hidden from viewer
Bug: T285190
Change-Id: I4e4dbcad61e1d4f6fd8b038bf63d19c69081a8ec
---
includes/specials/SpecialGlobalGroupMembership.php | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/includes/specials/SpecialGlobalGroupMembership.php b/includes/specials/SpecialGlobalGroupMembership.php
index 3cb2a0d5..d5465b0c 100644
--- a/includes/specials/SpecialGlobalGroupMembership.php
+++ b/includes/specials/SpecialGlobalGroupMembership.php
@@ -105,7 +105,11 @@ class SpecialGlobalGroupMembership extends UserrightsPage {
} else {
$user = CentralAuthGroupMembershipProxy::newFromName( $username );
- if ( !$user ) {
+ // If the user exists, but is hidden, and the viewer cannot see hidden
+ // users, pretend like they don't exist at all. See T285190
+ if ( !$user || ( CentralAuthUser::getMasterInstanceByName( $username )->isOversighted() &&
+ !$this->getContext()->getAuthority()->isAllowed( 'centralauth-oversight' ) )
+ ) {
return Status::newFatal( 'nosuchusershort', $username );
}
}
--
2.26.1.windows.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9106752
Default Alt Text
0001-SECURITY-Act-like-users-don-t-exist-if-hidden-from-v.patch (1 KB)

Event Timeline