Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F35378201
0001-SECURITY-check-for-autopatrol-when-marking-own-artic.patch
Zabe
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Zabe
Aug 1 2022, 8:03 PM
2022-08-01 20:03:32 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
0001-SECURITY-check-for-autopatrol-when-marking-own-artic.patch
View Options
From f7030004cac0e5325f030ba56a450932b45c92a2 Mon Sep 17 00:00:00 2001
From: Alexander Vorwerk <zabe@avorwerk.net>
Date: Mon, 1 Aug 2022 21:55:57 +0200
Subject: [PATCH] SECURITY: check for autopatrol when marking own articles as
reviewed
Bug: T314245
Change-Id: I9a3c9dafc634c59d7dbf1d6d62da389046a0e22e
---
includes/Api/ApiPageTriageAction.php | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/includes/Api/ApiPageTriageAction.php b/includes/Api/ApiPageTriageAction.php
index cc60ed4..6a2c73f 100644
--- a/includes/Api/ApiPageTriageAction.php
+++ b/includes/Api/ApiPageTriageAction.php
@@ -12,6 +12,7 @@ use MediaWiki\Extension\PageTriage\PageTriage;
use MediaWiki\Extension\PageTriage\PageTriageUtil;
use MediaWiki\MediaWikiServices;
use Wikimedia\ParamValidator\ParamValidator;
+use MediaWiki\Revision\RevisionRecord;
class ApiPageTriageAction extends ApiBase {
@@ -33,6 +34,15 @@ class ApiPageTriageAction extends ApiBase {
$note = $params['note'];
if ( isset( $params['reviewed'] ) ) {
+ // T314245 - do not allow someone to mark their own articles as reviewed
+ // when not being autopatrolled
+ $revStore = MediaWikiServices::getInstance()->getRevisionStore();
+ if ( $this->getUser()->equals( $revStore->getFirstRevision( $article->getPage() )->getUser( RevisionRecord::RAW ) )
+ && !$this->getAuthority()->isAllowed( 'autopatrol' )
+ ) {
+ $this->dieWithError( 'markedaspatrollederror-noautopatrol' );
+ }
+
$result = $this->markAsReviewed( $article, $params['reviewed'], $note, $params['skipnotif'] );
} else {
$result = $this->enqueue( $article, $note );
--
2.17.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9633901
Default Alt Text
0001-SECURITY-check-for-autopatrol-when-marking-own-artic.patch (1 KB)
Attached To
Mode
T314245: CVE-2022-41344: PageTriage extension - someone with patrol user right can mark own article as reviewed if they use api.php?action=pagetriageaction
Attached
Detach File
Event Timeline
Log In to Comment