Page MenuHomePhabricator
Files F34784383

T296578.patch
Lucas_Werkmeister_WMDE (Lucas Werkmeister (WMDE))
Actions

Authored By
Lucas_Werkmeister_WMDE
Nov 29 2021, 2:24 PM
Size
2 KB
Referenced Files
None
Subscribers
None

T296578.patch
View Options

From a36e0150d0b3d09b900503f36fb58876807d3958 Mon Sep 17 00:00:00 2001
From: Lucas Werkmeister <lucas.werkmeister@wikimedia.de>
Date: Mon, 29 Nov 2021 15:20:40 +0100
Subject: [PATCH] SECURITY: Do not let globally blocked users edit
Use getPermissionErrors() instead of isBlockedFrom() to check other
kinds of permission errors, including global blocks. The more general
PermissionsError class can be thrown instead of UserBlockedError.
Bug: T296578
Change-Id: Iac86cf63bd014ef99e83dccfce9b8942e15d2bf9
Co-Authored-By: Martin Urbanec <martin.urbanec@wikimedia.cz>
---
.../SetEntitySchemaLabelDescriptionAliases.php | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/MediaWiki/Specials/SetEntitySchemaLabelDescriptionAliases.php b/src/MediaWiki/Specials/SetEntitySchemaLabelDescriptionAliases.php
index b42b9a8..797b41b 100644
--- a/src/MediaWiki/Specials/SetEntitySchemaLabelDescriptionAliases.php
+++ b/src/MediaWiki/Specials/SetEntitySchemaLabelDescriptionAliases.php
@@ -19,11 +19,11 @@
use MediaWiki\Revision\SlotRecord;
use MWException;
use OutputPage;
+use PermissionsError;
use RuntimeException;
use SpecialPage;
use Status;
use Title;
-use UserBlockedError;
use WebRequest;
use WikiPage;
@@ -48,7 +48,8 @@ class SetEntitySchemaLabelDescriptionAliases extends SpecialPage {
public function __construct( $htmlFormProvider = HTMLForm::class ) {
parent::__construct(
- 'SetEntitySchemaLabelDescriptionAliases'
+ 'SetEntitySchemaLabelDescriptionAliases',
+ 'edit'
);
$this->htmlFormProvider = $htmlFormProvider;
@@ -407,11 +408,10 @@ protected function getGroupName() {
}
private function checkBlocked( LinkTarget $title ) {
- if ( MediaWikiServices::getInstance()->getPermissionManager()
- ->isBlockedFrom( $this->getUser(), $title )
- ) {
- // @phan-suppress-next-line PhanTypeMismatchArgumentNullable
- throw new UserBlockedError( $this->getUser()->getBlock() );
+ $errors = MediaWikiServices::getInstance()->getPermissionManager()
+ ->getPermissionErrors( $this->getRestriction(), $this->getUser(), $title );
+ if ( $errors !== [] ) {
+ throw new PermissionsError( $this->getRestriction(), $errors );
}
}
--
2.30.2

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9264110
Default Alt Text
T296578.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits