[MediaWiki-commits] [Gerrit] SECURITY: Do not show log action if revdeleted - change (mediawiki/core)

Wed, 26 Nov 2014 17:29:38 -0800 

Mglaser has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/176209

Change subject: SECURITY: Do not show log action if revdeleted
......................................................................

SECURITY: Do not show log action if revdeleted

Also do not include revdeleted entries in search results when
filtering by action if user cannot view that info.

Bug: 72222
Change-Id: I9f331c421c55323018765456d6a99229e1fff592
---
M includes/api/ApiQueryLogEvents.php
1 file changed, 11 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/09/176209/1

diff --git a/includes/api/ApiQueryLogEvents.php 
b/includes/api/ApiQueryLogEvents.php
index ee7fbc0..64f933f 100644
--- a/includes/api/ApiQueryLogEvents.php
+++ b/includes/api/ApiQueryLogEvents.php
@@ -192,7 +192,8 @@
                }
 
                // Paranoia: avoid brute force searches (bug 17342)
-               if ( !is_null( $title ) || !is_null( $user ) ) {
+               $hideActions = $params['namespace'] !== null || !is_null( 
$title ) || !is_null( $params['action'] );
+               if ( $hideActions || !is_null( $user ) ) {
                        if ( !$this->getUser()->isAllowed( 'deletedhistory' ) ) 
{
                                $titleBits = LogPage::DELETED_ACTION;
                                $userBits = LogPage::DELETED_USER;
@@ -203,7 +204,7 @@
                                $titleBits = 0;
                                $userBits = 0;
                        }
-                       if ( !is_null( $title ) && $titleBits ) {
+                       if ( $hideActions && $titleBits ) {
                                $this->addWhere( $db->bitAnd( 'log_deleted', 
$titleBits ) . " != $titleBits" );
                        }
                        if ( !is_null( $user ) && $userBits ) {
@@ -353,12 +354,18 @@
                        $title = Title::makeTitle( $row->log_namespace, 
$row->log_title );
                }
 
-               if ( $this->fld_title || $this->fld_ids || $this->fld_details 
&& $row->log_params !== '' ) {
+               if ( $this->fld_title || $this->fld_ids || $this->fld_type
+                       || $this->fld_details && $row->log_params !== ''
+               ) {
                        if ( LogEventsList::isDeleted( $row, 
LogPage::DELETED_ACTION ) ) {
                                $vals['actionhidden'] = '';
                                $anyHidden = true;
                        }
                        if ( LogEventsList::userCan( $row, 
LogPage::DELETED_ACTION, $user ) ) {
+
+                               if ( $this->fld_type ) {
+                                       $vals['action'] = $row->log_action;
+                               }
                                if ( $this->fld_title ) {
                                        ApiQueryBase::addTitleInfo( $vals, 
$title );
                                }
@@ -379,9 +386,8 @@
                        }
                }
 
-               if ( $this->fld_type || $this->fld_action ) {
+               if ( $this->fld_type ) {
                        $vals['type'] = $row->log_type;
-                       $vals['action'] = $row->log_action;
                }
 
                if ( $this->fld_user || $this->fld_userid ) {

-- 
To view, visit https://gerrit.wikimedia.org/r/176209
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I9f331c421c55323018765456d6a99229e1fff592
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_23
Gerrit-Owner: Mglaser <gla...@hallowelt.biz>
Gerrit-Reviewer: CSteipp <cste...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to