Page MenuHomePhabricator
Files F35378201

0001-SECURITY-check-for-autopatrol-when-marking-own-artic.patch
Zabe
Actions

Authored By
Zabe
Aug 1 2022, 8:03 PM
Size
1 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-check-for-autopatrol-when-marking-own-artic.patch
View Options

From f7030004cac0e5325f030ba56a450932b45c92a2 Mon Sep 17 00:00:00 2001
From: Alexander Vorwerk <zabe@avorwerk.net>
Date: Mon, 1 Aug 2022 21:55:57 +0200
Subject: [PATCH] SECURITY: check for autopatrol when marking own articles as
reviewed
Bug: T314245
Change-Id: I9a3c9dafc634c59d7dbf1d6d62da389046a0e22e
---
includes/Api/ApiPageTriageAction.php | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/includes/Api/ApiPageTriageAction.php b/includes/Api/ApiPageTriageAction.php
index cc60ed4..6a2c73f 100644
--- a/includes/Api/ApiPageTriageAction.php
+++ b/includes/Api/ApiPageTriageAction.php
@@ -12,6 +12,7 @@ use MediaWiki\Extension\PageTriage\PageTriage;
use MediaWiki\Extension\PageTriage\PageTriageUtil;
use MediaWiki\MediaWikiServices;
use Wikimedia\ParamValidator\ParamValidator;
+use MediaWiki\Revision\RevisionRecord;
class ApiPageTriageAction extends ApiBase {
@@ -33,6 +34,15 @@ class ApiPageTriageAction extends ApiBase {
$note = $params['note'];
if ( isset( $params['reviewed'] ) ) {
+ // T314245 - do not allow someone to mark their own articles as reviewed
+ // when not being autopatrolled
+ $revStore = MediaWikiServices::getInstance()->getRevisionStore();
+ if ( $this->getUser()->equals( $revStore->getFirstRevision( $article->getPage() )->getUser( RevisionRecord::RAW ) )
+ && !$this->getAuthority()->isAllowed( 'autopatrol' )
+ ) {
+ $this->dieWithError( 'markedaspatrollederror-noautopatrol' );
+ }
+
$result = $this->markAsReviewed( $article, $params['reviewed'], $note, $params['skipnotif'] );
} else {
$result = $this->enqueue( $article, $note );
--
2.17.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9633901
Default Alt Text
0001-SECURITY-check-for-autopatrol-when-marking-own-artic.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL