jenkins-bot has submitted this change and it was merged.
Change subject: Respect the core 'edit' user permission
......................................................................
Respect the core 'edit' user permission
Adjust permission handling such that all write actions require the user
to have the 'edit' permission in addition to any flow specific permissions
Change-Id: I14e725745ab1c032466924a75f6a15d531e0e678
---
M includes/Model/AbstractRevision.php
M includes/PostActionPermissions.php
2 files changed, 16 insertions(+), 1 deletion(-)
Approvals:
Bsitu: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/Model/AbstractRevision.php
b/includes/Model/AbstractRevision.php
index 15d5bcd..b5fd2a6 100644
--- a/includes/Model/AbstractRevision.php
+++ b/includes/Model/AbstractRevision.php
@@ -167,6 +167,9 @@
* and it is not the most recent revision.
*/
public function newNullRevision( User $user ) {
+ if ( !$user->isAllowed( 'edit' ) ) {
+ throw new \MWException( 'User does not have core edit
permission' );
+ }
$obj = clone $this;
$obj->revId = UUID::create();
$obj->userId = $user->getId();
@@ -252,11 +255,12 @@
}
/**
+ * Is the user allowed to see this revision?
+ *
* @param User $user The user requesting access. When null assumes a
user with no permissions.
* @param int $state One of the self::MODERATED_* constants. When null
the internal moderation state is used.
* @return boolean True when the user is allowed to see the current
revision
*/
- // Is the user allowed to see this revision ?
public function isAllowed( $user = null, $state = null ) {
// allowing a $state to be passed is a bit hackish
if ( $state === null ) {
diff --git a/includes/PostActionPermissions.php
b/includes/PostActionPermissions.php
index 8eaee9a..75513ac 100644
--- a/includes/PostActionPermissions.php
+++ b/includes/PostActionPermissions.php
@@ -10,6 +10,13 @@
*/
class PostActionPermissions {
+ /**
+ * @var array List of actions (as strings) that do *not* modify anything
+ * and are used strictly for viewing. A user *must* have
the core
+ * 'edit' permission to perform any action not in this list.
+ */
+ static private $readPermissions = array( 'post-history', 'view' );
+
public function __construct( $user ) {
$this->user = $user;
@@ -98,6 +105,10 @@
if ( !isset( $this->actions[$action] ) ) {
return false;
}
+ // Users must have the core 'edit' permission to perform any
write action in flow
+ if ( false === array_search( $action, self::$readPermissions )
&& !$this->user->isAllowed( 'edit' ) ) {
+ return false;
+ }
$permissions = $this->actions[$action];
if ( $permissions instanceof Closure ) {
$permissions = $permissions( $post );
--
To view, visit https://gerrit.wikimedia.org/r/91892
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I14e725745ab1c032466924a75f6a15d531e0e678
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/Flow
Gerrit-Branch: master
Gerrit-Owner: EBernhardson <[email protected]>
Gerrit-Reviewer: Bsitu <[email protected]>
Gerrit-Reviewer: EBernhardson <[email protected]>
Gerrit-Reviewer: jenkins-bot
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
