Page MenuHomePhabricator
Files F35005857

01-T160800.patch
sbassett (Scott Bassett)
Actions

Authored By
sbassett
Mar 14 2022, 9:33 PM
Size
1 KB
Referenced Files
None
Subscribers
None

01-T160800.patch
View Options

From 3e5c0e901f14c5c5c17d1f95212786961f45be37 Mon Sep 17 00:00:00 2001
From: dylsss <dylssswp@gmail.com>
Date: Sat, 8 Jan 2022 20:56:17 +0000
Subject: [PATCH] SECURITY: Disallow blocked users from resetting transcodes
Only that the user had the right itself was checked, rather than
fully checking that the user has permission to perform the
transcode-reset action.
Bug: T160800
Change-Id: I285c7c189af350be22f5de7b1c6757ad7479a20c
---
includes/ApiTranscodeReset.php | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/includes/ApiTranscodeReset.php b/includes/ApiTranscodeReset.php
index 04782581..91e87f64 100644
--- a/includes/ApiTranscodeReset.php
+++ b/includes/ApiTranscodeReset.php
@@ -21,16 +21,18 @@ class ApiTranscodeReset extends ApiBase {
if ( !$this->getConfig()->get( 'EnableTranscode' ) ) {
$this->dieWithError( 'apierror-timedmedia-disabledtranscode', 'disabledtranscode' );
}
-
- // Confirm the user has the transcode-reset right
- $this->checkUserRightsAny( 'transcode-reset' );
+
$params = $this->extractRequestParams();
-
- // Make sure we have a valid Title
$titleObj = Title::newFromText( $params['title'] );
+
+ // Make sure we have a valid Title
if ( !$titleObj || $titleObj->isExternal() ) {
$this->dieWithError( [ 'apierror-invalidtitle', wfEscapeWikiText( $params['title'] ) ] );
}
+
+ // Check that the user has permmission to reset transcodes on the file
+ $this->checkTitleUserPermissions( $titleObj, 'transcode-reset' );
+
// Make sure the title can be transcoded
if ( !TimedMediaHandlerHooks::isTranscodableTitle( $titleObj ) ) {
$this->dieWithError(
--
2.30.2

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9374220
Default Alt Text
01-T160800.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL