[MediaWiki-commits] [Gerrit] mediawiki...BlueSpiceExtensions[master]: PageAccess: fix bug where tag would lead to a complete block

Fri, 28 Oct 2016 06:00:02 -0700 

Mglaser has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/318533

Change subject: PageAccess: fix bug where tag would lead to a complete block
......................................................................

PageAccess: fix bug where tag would lead to a complete block

Any usage of the tag would lead to a complete block of the page. This
was due to User::getEffectiveGroups, which returns empty sets instead
of the expected list of groups. Now using getGroups as well as
getImplicitGroups to get the wanted result.

Change-Id: Ie755a53f5790233f83a9c2da4aa6682d716923b7
---
M PageAccess/PageAccess.class.php
1 file changed, 35 insertions(+), 10 deletions(-)


  git pull 
ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/BlueSpiceExtensions 
refs/changes/33/318533/1

diff --git a/PageAccess/PageAccess.class.php b/PageAccess/PageAccess.class.php
index 2bbbc0b..08b865e 100644
--- a/PageAccess/PageAccess.class.php
+++ b/PageAccess/PageAccess.class.php
@@ -38,6 +38,9 @@
  * Separate multiple groups by commas.
  */
 class PageAccess extends BsExtensionMW {
+
+       private static $aAllowedPairs = array(); // <page_id>-<user_id>
+
        protected function initExt() {
                wfProfileIn( 'BS::'.__METHOD__ );
                $this->setHook( 'PageContentSave' );
@@ -114,7 +117,7 @@
 
        /**
         * Checks if user is in one of the given user groups
-        * @param object $oUser the current user
+        * @param User $oUser the current user
         * @param string $sAccessGroups a comma separated list of user groups
         * @return bool
         */
@@ -122,11 +125,9 @@
                if ( !$sAccessGroups ) return true;
                $aAccessGroups = array_map("trim", explode( ',', $sAccessGroups 
) );
                wfRunHooks( 'BSPageAccessAddAdditionalAccessGroups', array( 
&$aAccessGroups ) );
-               $aUserGroups = $oUser->getEffectiveGroups();
+               $aUserGroups = array_merge( $oUser->getGroups(), 
$oUser->getImplicitGroups() );
                return (bool) array_intersect( $aAccessGroups, $aUserGroups );
        }
-
-       private static $aAllowedPairs = array(); // <page_id>-<user_id>
 
        /**
         * Checks if user is allowed to view page
@@ -136,17 +137,35 @@
         */
        public function isUserAllowed( $oPage, $oUser ) {
                $oPage = ( $oPage instanceof Article ) ? $oPage->getTitle() : 
$oPage;
+               // if this is not a valid article or there is no user,
+               // this is none of our business.
+               if ( $oPage->getArticleId() == 0 ) {
+                       return true;
+               }
+
                $sPair = $oPage->getArticleId().'-'.$oUser->getId();
-               if( isset( self::$aAllowedPairs[$sPair] ) ) return 
self::$aAllowedPairs[$sPair];
+
+               if( isset( self::$aAllowedPairs[$sPair] ) ) {
+                       return self::$aAllowedPairs[$sPair];
+               }
 
                $dbr = wfGetDB( DB_SLAVE );
                $bHasAccess = true;
                $aAllTitles = $oPage->getTemplateLinksFrom();
                $aAllTitles[] = $oPage;
                foreach ( $aAllTitles as $oTitleToCheck ) {
-                       $sAccessGroups = $dbr->selectField( 'page_props', 
'pp_value',
-                                       array( 'pp_page' => 
$oTitleToCheck->getArticleID(), 'pp_propname' => 'bs-page-access' ), __METHOD__ 
);
-                       if ( !$this->checkAccessGroups( $oUser, $sAccessGroups 
) ) $bHasAccess = false;
+                       $sAccessGroups = $dbr->selectField(
+                               'page_props',
+                               'pp_value',
+                               array(
+                                       'pp_page' => 
$oTitleToCheck->getArticleID(),
+                                       'pp_propname' => 'bs-page-access'
+                               ),
+                               __METHOD__
+                       );
+                       if ( !$this->checkAccessGroups( $oUser, $sAccessGroups 
) ) {
+                               $bHasAccess = false;
+                       }
                }
                self::$aAllowedPairs[$sPair] = $bHasAccess;
                return $bHasAccess;
@@ -159,8 +178,14 @@
 
        public function onUserCan( $title, $user, $action, &$result ) {
                // TODO MRG: Is this list really exhaustive enough?
-               if( !in_array($action, array('read', 'edit', 'delete', 'move')) 
) return true;
-               if ( $this->isUserAllowed( $title, $user ) ) return true;
+               if( !in_array($action, array('read', 'edit', 'delete', 'move')) 
) {
+                       $result = true;
+                       return true;
+               }
+               if ( $this->isUserAllowed( $title, $user ) ) {
+                       $result = true;
+                       return true;
+               }
                $result = false;
                return false;
        }

-- 
To view, visit https://gerrit.wikimedia.org/r/318533
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie755a53f5790233f83a9c2da4aa6682d716923b7
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/BlueSpiceExtensions
Gerrit-Branch: master
Gerrit-Owner: Mglaser <gla...@hallowelt.biz>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to