Page MenuHomePhabricator
Files F7463891

T162621.patch
Mattflaschen-WMF (Matthew Flaschen)
Actions

Authored By
Mattflaschen-WMF
Apr 10 2017, 6:53 PM
Size
943 B
Referenced Files
None
Subscribers
None

T162621.patch
View Options

From bab6c698ebb4362d4f928e566a7b9cb7e198abe6 Mon Sep 17 00:00:00 2001
From: Matthew Flaschen <mflaschen@wikimedia.org>
Date: Mon, 10 Apr 2017 14:50:33 -0400
Subject: [PATCH] SECURITY: Don't treat non-existent user as "any anon"
Due to an issue with how the username was checked, it would show
all topics created by any anon when a non-existent user was requested.
Bug: T162621
Change-Id: I243712cedb75fc9c51dc45404eed65bf2d42c111
---
Hooks.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Hooks.php b/Hooks.php
index 468f756..edf226b 100644
--- a/Hooks.php
+++ b/Hooks.php
@@ -1886,7 +1886,7 @@ class FlowHooks {
$userWhere = array();
if ( $username ) {
$user = User::newFromName( $username );
- if ( $user ) {
+ if ( $user && $user->isLoggedIn() ) {
$userWhere = array( 'tree_orig_user_id' => $user->getId() );
} else {
$userWhere = array( 'tree_orig_user_ip' => $username );
--
2.1.4

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
4559285
Default Alt Text
T162621.patch (943 B)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits