Page MenuHomePhabricator
Files F34778099

T296578.patch
Urbanecm
Actions

Authored By
Urbanecm
Nov 28 2021, 3:10 PM
Size
1 KB
Referenced Files
None
Subscribers
None

T296578.patch
View Options

From b218b0988949f14e6b6eeca7bf5babec54e36ee7 Mon Sep 17 00:00:00 2001
From: Martin Urbanec <martin.urbanec@wikimedia.cz>
Date: Sun, 28 Nov 2021 16:06:35 +0100
Subject: [PATCH] SECURITY: Do not let globally blocked users in
This is a quite hacky solution for the job, and it will
fatal in case the user meets all of the following conditions:
a) has the 'edit' right,
b) is not locally/globally blocked,
c) PermissionManager::userCan() returns false
However, throwing is likely better than a permission error, at least
from security's PoV.
Bug: T296578
Change-Id: I121eca1f7c86c17aba510fc5a50de347792f5aab
---
.../Specials/SetEntitySchemaLabelDescriptionAliases.php | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/MediaWiki/Specials/SetEntitySchemaLabelDescriptionAliases.php b/src/MediaWiki/Specials/SetEntitySchemaLabelDescriptionAliases.php
index b42b9a8..d43bf79 100644
--- a/src/MediaWiki/Specials/SetEntitySchemaLabelDescriptionAliases.php
+++ b/src/MediaWiki/Specials/SetEntitySchemaLabelDescriptionAliases.php
@@ -48,7 +48,8 @@ class SetEntitySchemaLabelDescriptionAliases extends SpecialPage {
public function __construct( $htmlFormProvider = HTMLForm::class ) {
parent::__construct(
- 'SetEntitySchemaLabelDescriptionAliases'
+ 'SetEntitySchemaLabelDescriptionAliases',
+ 'edit'
);
$this->htmlFormProvider = $htmlFormProvider;
@@ -407,11 +408,11 @@ class SetEntitySchemaLabelDescriptionAliases extends SpecialPage {
}
private function checkBlocked( LinkTarget $title ) {
- if ( MediaWikiServices::getInstance()->getPermissionManager()
- ->isBlockedFrom( $this->getUser(), $title )
+ if ( !MediaWikiServices::getInstance()->getPermissionManager()
+ ->userCan( 'edit', $this->getUser(), $title )
) {
// @phan-suppress-next-line PhanTypeMismatchArgumentNullable
- throw new UserBlockedError( $this->getUser()->getBlock() );
+ throw new UserBlockedError( $this->getUser()->getBlock() ?? $this->getUser()->getGlobalBlock() );
}
}
--
2.20.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9260877
Default Alt Text
T296578.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL