ApiFlagFeedbackArticleFeedbackv5.php

emsmith Tue, 28 Feb 2012 07:38:21 -0800

https://www.mediawiki.org/wiki/Special:Code/MediaWiki/112604


Revision: 112604
Author:   emsmith
Date:     2012-02-28 15:38:16 +0000 (Tue, 28 Feb 2012)
Log Message:
-----------
bug 34090 - can't believe there were no permissions checks in this - only 
delete group can delete and reset oversight, hide group can hide and request 
oversight, everybody else can helpful/unhelpful and flag as abuse

Modified Paths:
--------------
    trunk/extensions/ArticleFeedbackv5/api/ApiFlagFeedbackArticleFeedbackv5.php

Modified: 
trunk/extensions/ArticleFeedbackv5/api/ApiFlagFeedbackArticleFeedbackv5.php
===================================================================
--- trunk/extensions/ArticleFeedbackv5/api/ApiFlagFeedbackArticleFeedbackv5.php 
2012-02-28 15:21:45 UTC (rev 112603)
+++ trunk/extensions/ArticleFeedbackv5/api/ApiFlagFeedbackArticleFeedbackv5.php 
2012-02-28 15:38:16 UTC (rev 112604)
@@ -45,6 +45,9 @@
                $direction  = isset( $params['direction'] ) ? 
$params['direction'] : 'increase';
                $where      = array( 'af_id' => $feedbackId );
 
+               // woah, we were not checking for permissions (that could have 
been script kiddy bad)
+               global $wgUser;
+
                // we use ONE db connection that talks to master
                $dbw     = wfGetDB( DB_MASTER );
                $dbw->begin();
@@ -56,7 +59,7 @@
                        // no-op, because this is already broken
                        $error = 'articlefeedbackv5-invalid-feedback-id';
 
-               } elseif ( 'delete' == $flag ) {
+               } elseif ( 'delete' == $flag && $wgUser->isAllowed( 
'aftv5-delete-feedback' )) {
 
                        // deleting means to "mark as oversighted" and "delete" 
it
                        // oversighting also auto-hides the item
@@ -96,7 +99,7 @@
                                $filters['notdeleted'] = 1;
                        }
 
-               } elseif ( 'hide' == $flag ) {
+               } elseif ( 'hide' == $flag && $wgUser->isAllowed( 
'aftv5-hide-feedback' )) {
 
                        // increase means "hide this"
                        if( $direction == 'increase' ) {
@@ -118,7 +121,7 @@
                                $filters = $this->changeFilterCounts( $record, 
$filters, 'show' );
                        }
 
-               } elseif( 'resetoversight' === $flag) {
+               } elseif( 'resetoversight' === $flag && $wgUser->isAllowed( 
'aftv5-delete-feedback' )) {
 
                        $activity = 'decline';
                        // oversight request count becomes 0
@@ -193,7 +196,7 @@
                        }
 
                // NOTE: this is actually request/unrequest oversight and works 
similar to abuse
-               } elseif( 'oversight' === $flag) {
+               } elseif( 'oversight' === $flag && $wgUser->isAllowed( 
'aftv5-hide-feedback' )) {
 
                        if($direction == 'increase') {
                                $activity = 'request';


_______________________________________________
MediaWiki-CVS mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs

[MediaWiki-CVS] SVN: [112604] trunk/extensions/ArticleFeedbackv5/api/ ApiFlagFeedbackArticleFeedbackv5.php

Reply via email to