Page MenuHomePhabricator

Deleting a log entry actor doesn't always hide the actor entirely
Closed, ResolvedPublic

Description

The "thanks" button can still be used to discover who committed the logged action.

See https://test.wikipedia.org/wiki/Special:Log?logid=220884 and then https://test.wikipedia.org/wiki/Special:Log?logid=220884&uselang=qqx

Details

Related Gerrit Patches:

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 23 2019, 6:02 PM
Restricted Application added a project: Growth-Team. · View Herald TranscriptMay 23 2019, 6:03 PM
DannyS712 moved this task from Unsorted to Others on the User-DannyS712 board.Jun 3 2019, 10:01 AM
Urbanecm claimed this task.Jul 11 2019, 9:27 AM
Urbanecm added a project: Vuln-Infoleak.
Urbanecm added a subscriber: Urbanecm.

This should fix this.

Restricted Application added a project: User-Urbanecm. · View Herald TranscriptJul 11 2019, 9:29 AM

Patch looks good to me, I will deploy it in an hour.

Thank you, @Catrope. Could you please have a look at T207094 as well, if it's within your area of expertise? :-)

Catrope changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 11 2019, 10:51 PM

Change 522202 merged by jenkins-bot:
[mediawiki/extensions/Thanks@master] SECURITY: Do not let users thank for a log entry if actor was deleted

https://gerrit.wikimedia.org/r/522202

Change 522213 had a related patch set uploaded (by Catrope; owner: Urbanecm):
[mediawiki/extensions/Thanks@wmf/1.34.0-wmf.13] SECURITY: Do not let users thank for a log entry if actor was deleted

https://gerrit.wikimedia.org/r/522213

Change 522214 had a related patch set uploaded (by Catrope; owner: Urbanecm):
[mediawiki/extensions/Thanks@wmf/1.34.0-wmf.11] SECURITY: Do not let users thank for a log entry if actor was deleted

https://gerrit.wikimedia.org/r/522214

Change 522213 merged by jenkins-bot:
[mediawiki/extensions/Thanks@wmf/1.34.0-wmf.13] SECURITY: Do not let users thank for a log entry if actor was deleted

https://gerrit.wikimedia.org/r/522213

Change 522214 merged by jenkins-bot:
[mediawiki/extensions/Thanks@wmf/1.34.0-wmf.11] SECURITY: Do not let users thank for a log entry if actor was deleted

https://gerrit.wikimedia.org/r/522214

Thanks @Catrope for deployment. Can this be closed as "resolved" then?

Catrope closed this task as Resolved.Jul 12 2019, 10:17 PM

Yes, sorry for forgetting. I was waiting for the patches to merge.