[MediaWiki-commits] [Gerrit] SECURITY: Handle suppressed usernames in non-revision based ... - change (mediawiki...Echo)

Fri, 16 Oct 2015 15:27:21 -0700 

Chad has submitted this change and it was merged.

Change subject: SECURITY: Handle suppressed usernames in non-revision based 
events
......................................................................


SECURITY: Handle suppressed usernames in non-revision based events

We only track revisions for some notification types, others still
reference usernames, but don't check for suppression status. If no
revision is available, use User::isHidden() to check whether
EchoEvent::getAgent() has been hidden.

Bug: T110553
Change-Id: I31e635e365bbb0f6c6ac63be2bdb07e5e2d67c96
---
M model/Event.php
1 file changed, 23 insertions(+), 1 deletion(-)

Approvals:
  Chad: Verified; Looks good to me, approved



diff --git a/model/Event.php b/model/Event.php
index 235c026..c827401 100644
--- a/model/Event.php
+++ b/model/Event.php
@@ -349,9 +349,31 @@
         */
        public function userCan( $field, User $user = null ) {
                $revision = $this->getRevision();
-               if ( $revision ) {
+               // User is handled specially
+               if ( $field === Revision::DELETED_USER ) {
+                       $agent = $this->getAgent();
+                       if ( !$agent ) {
+                               // No user associated, so they can see it.
+                               return true;
+                       } elseif ( $revision
+                               && $agent->getName() === 
$revision->getUserText( Revision::RAW )
+                       ) {
+                               // If the agent and the revision user are the 
same, use rev_deleted
+                               return $revision->userCan( $field, $user );
+                       } else {
+                               // Use User::isHidden()
+                               if ( !$user ) {
+                                       // @FIXME Require a user object for 
this function
+                                       global $wgUser;
+                                       $user = $wgUser;
+                               }
+                               return $user->isAllowedAny( 'viewsuppressed', 
'hideuser' ) || !$agent->isHidden();
+                       }
+               } elseif ( $revision ) {
+                       // A revision is set, use rev_deleted
                        return $revision->userCan( $field, $user );
                } else {
+                       // Not a user, and there is no associated revision, so 
the user can see it
                        return true;
                }
        }

-- 
To view, visit https://gerrit.wikimedia.org/r/246993
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I31e635e365bbb0f6c6ac63be2bdb07e5e2d67c96
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/Echo
Gerrit-Branch: REL1_25
Gerrit-Owner: Chad <[email protected]>
Gerrit-Reviewer: Chad <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to