Page MenuHomePhabricator

Can view and hide log entry for suppress actions
Closed, DuplicatePublic

Description

As member of the sysop user group on dewiki I can visit Special:RevisionDelete, when setting the url parameter to a log id it is possible to see the log entry and also hide parts of it.

This is happen because there seems no check for $wgLogRestrictions when showing the log entry for a restricted log. The log entry itself is not marked as revision deleted and therefore it is shown.

Working example (for viewing):
https://de.wikipedia.org/w/index.php?title=Spezial:Versionsl%C3%B6schung&type=logging&ids=67810647
But I cannot visit https://de.wikipedia.org/wiki/Spezial:Logbuch/suppress where this should also be listed.

To get a log id of a suppressed log I have looked at the api (list=logevents) for a gap in the returned log_id and test it.

Event Timeline

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".Apr 14 2015, 8:43 PM
Maniphest changed the edit policy from "All Users" to "Custom Policy".
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 14 2015, 8:43 PM
Umherirrender updated the task description. (Show Details)
Umherirrender changed Security from None to Software security bug.
Umherirrender edited subscribers, added: Umherirrender; removed: Aklapper.

Confirmed by @Jalexander.

@aaron, is there a reason $wgLogRestrictions shouldn't apply here? It looks like the check is missing from RevDelLogItem::canView() (seems like revdel should account for it at that layer), and from SpecialRevisionDelete when calculating $this->mIsAllowed or SpecialRevisionDelete should just check for this special case and error out if it happens.

csteipp triaged this task as High priority.Apr 15 2015, 12:02 AM

I would add a check to RevDelLogItem::canView function because that is already checked in Special:RevisionDelete

diff --git a/includes/revisiondelete/RevDelLogItem.php b/includes/revisiondelete/RevDelLogItem.php
index 49adf20..dbc6225 100644
--- a/includes/revisiondelete/RevDelLogItem.php
+++ b/includes/revisiondelete/RevDelLogItem.php
@@ -40,7 +40,10 @@
 	}
 
 	public function canView() {
-		return LogEventsList::userCan( $this->row, Revision::DELETED_RESTRICTED, $this->list->getUser() );
+		global $wgLogRestrictions;
+		return LogEventsList::userCan( $this->row, Revision::DELETED_RESTRICTED, $this->list->getUser() )
+			&& ( !isset( $wgLogRestrictions[$this->row->log_type] )
+				|| $this->list->getUser()->isAllowed( $wgLogRestrictions[$this->row->log_type] ) );
 	}
 
 	public function canViewContent() {

I don't think that's quite right - *no one* should be able to hide suppression log entries.

I don't think that's quite right - *no one* should be able to hide suppression log entries.

I don't see why suppressing suppression logs needs to be prevented. While it obviously doesn't make "sense" for someone to do such a thing, I don't see the harm, since anyone who can view the suppression log would be able to see the suppressed log entries anyways, and keeping MW's permission system general instead of special cased seems like a good thing.

It still works after 2,5 years to see suppress logs when using the log id. It is a small impact, because it already needs a sysop account, but it is not nice to filter suppress logs out of big list and than allow it on direct access.

Can we mark this public after 4 years to fix it with a patch on gerrit?

@Umherirrender - I'd say yes, especially given the nature of this issue. If nobody else objects, I can make this task public and you can push a patch up to gerrit.

public https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/507870/ links to restricted T222038, but the patch looks similar (a bit modern due to changes to LogFormatter over the time)

Please change to public. Thanks

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 25 2019, 9:47 PM