Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F35525954
T318166.patch
Dreamy_Jazz (WBrown (WMF))
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Dreamy_Jazz
Sep 20 2022, 2:55 PM
2022-09-20 14:55:20 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
T318166.patch
View Options
From 527ba1ab2b5b6b268513ec7d16b635e24b503e10 Mon Sep 17 00:00:00 2001
From: dreamyjazz <dreamyjazzwikipedia@gmail.com>
Date: Tue, 20 Sep 2022 15:50:27 +0100
Subject: [PATCH] Do not show suppressed usernames on edits in the API
Ensure that the check for what a user can see also includes whether
the user can see the username for the edit.
Bug: T318166
---
src/Api/ApiQueryCheckUser.php | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/Api/ApiQueryCheckUser.php b/src/Api/ApiQueryCheckUser.php
index a61a8cc3..78712f34 100644
--- a/src/Api/ApiQueryCheckUser.php
+++ b/src/Api/ApiQueryCheckUser.php
@@ -213,6 +213,13 @@ class ApiQueryCheckUser extends ApiQueryBase {
) ) {
$edit['summary'] = $this->msg( 'rev-deleted-comment' )->text();
}
+ if ( !RevisionRecord::userCanBitfield(
+ $revRecord->getVisibility(),
+ RevisionRecord::DELETED_USER,
+ $this->getUser()
+ ) ) {
+ $edit['user'] = $this->msg( 'rev-deleted-user' )->text();
+ }
}
}
if ( $row->cuc_minor ) {
--
2.25.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9744989
Default Alt Text
T318166.patch (1 KB)
Attached To
Mode
T318166: CVE-2022-39193: CheckUser API can expose the suppressed performer
Attached
Detach File
Event Timeline
Log In to Comment