Page MenuHomePhabricator
Files F34532053

0001-SECURITY-Act-like-users-don-t-exist-if-hidden-from-v.patch
Zabe
Actions

Authored By
Zabe
Jun 29 2021, 9:31 PM
Size
1 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Act-like-users-don-t-exist-if-hidden-from-v.patch
View Options

From a59b53f718a041581dab9f957180f9a8cf54a962 Mon Sep 17 00:00:00 2001
From: Alexander Vorwerk <alec@vc-celle.de>
Date: Sun, 20 Jun 2021 18:38:02 +0200
Subject: [PATCH] SECURITY: Act like users don't exist if hidden from viewer
Bug: T285190
Change-Id: I4e4dbcad61e1d4f6fd8b038bf63d19c69081a8ec
---
includes/specials/SpecialGlobalGroupMembership.php | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/includes/specials/SpecialGlobalGroupMembership.php b/includes/specials/SpecialGlobalGroupMembership.php
index 3cb2a0d5..d7102d37 100644
--- a/includes/specials/SpecialGlobalGroupMembership.php
+++ b/includes/specials/SpecialGlobalGroupMembership.php
@@ -98,14 +98,24 @@ class SpecialGlobalGroupMembership extends UserrightsPage {
if ( $username[0] == '#' ) {
$id = intval( substr( $username, 1 ) );
$user = CentralAuthGroupMembershipProxy::newFromId( $id );
+ $globalUser = CentralAuthUser::newMasterInstanceFromId( $id );
- if ( !$user ) {
+ // If the user exists, but is hidden from the viewer, pretend that it does
+ // not exist. - T285190/T260863
+ if ( !$user || ( ( $globalUser->isOversighted() || $globalUser->isHidden() ) &&
+ !$this->getContext()->getAuthority()->isAllowed( 'centralauth-oversight' ) )
+ ) {
return Status::newFatal( 'noname', $id );
}
} else {
$user = CentralAuthGroupMembershipProxy::newFromName( $username );
- if ( !$user ) {
+ // If the user exists, but is hidden from the viewer, pretend that it does
+ // not exist. - T285190
+ $globalUser = CentralAuthUser::getMasterInstanceByName( $username );
+ if ( !$user || ( ( $globalUser->isOversighted() || $globalUser->isHidden() ) &&
+ !$this->getContext()->getAuthority()->isAllowed( 'centralauth-oversight' ) )
+ ) {
return Status::newFatal( 'nosuchusershort', $username );
}
}
--
2.26.1.windows.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9113965
Default Alt Text
0001-SECURITY-Act-like-users-don-t-exist-if-hidden-from-v.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits