Matthias Mullie has uploaded a new change for review.
https://gerrit.wikimedia.org/r/102201
Change subject: load* shouldn't check for view permissions
......................................................................
load* shouldn't check for view permissions
They should just return the requested data. It's up to the caller to check for
permissions for whatever action the data will be used for.
Right now, all load* functions check for view permissions. Currently, view
permission is the lowest, so there's not really a problem that these are
checked, but they shouldn't be: no view permission should be needed to moderate
a post; only the moderate-specific permissions (which are also already being
checked)
Change-Id: If6bfbb02891aee19cd73c44dc4d091c832cde8b1
---
M includes/Block/Topic.php
1 file changed, 21 insertions(+), 22 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/Flow
refs/changes/01/102201/1
diff --git a/includes/Block/Topic.php b/includes/Block/Topic.php
index 4b8eaac..64199c3 100644
--- a/includes/Block/Topic.php
+++ b/includes/Block/Topic.php
@@ -346,7 +346,7 @@
$templating->getOutput()->addModules( array(
'ext.flow.history' ) );
} else {
$templating->getOutput()->addModuleStyles( array(
'ext.flow.discussion', 'ext.flow.moderation' ) );
- $templating->getOutput()->addModules( array(
'ext.flow.discussion' ) );
+ $templating->getOutput()->addModules( array(
'ext.flow.discussion' ) );
}
$prefix = '';
@@ -472,6 +472,10 @@
protected function renderRevision( Templating $templating, array
$options, $return = false ) {
$postRevision = $this->loadRequestedRevision( $options['revId']
);
+ if ( !$this->permissions->isAllowed( $postRevision, 'view' ) ) {
+ $this->addError( 'permissions', wfMessage(
'flow-error-not-allowed' ) );
+ return null;
+ }
if ( !$postRevision ) {
return;
@@ -514,6 +518,12 @@
return;
}
+ $topicTitle = $this->loadTopicTitle(); // pre-loaded by
loadRequestedPost
+ if ( !$this->permissions->isAllowed( $topicTitle, 'view' ) ) {
+ $this->addError( 'permissions', wfMessage(
'flow-error-not-allowed' ) );
+ return;
+ }
+
$history = $this->getHistory( $options['postId'] );
// get rid of history entries user doesn't have sufficient
permissions for
@@ -526,7 +536,7 @@
return $templating->render( "flow:post-history.html.php", array(
'block' => $this,
'topic' => $this->workflow,
- 'topicTitle' => $this->loadTopicTitle(), // pre-loaded
by loadRequestedPost
+ 'topicTitle' => $topicTitle,
'post' => $post,
'history' => new History( $history ),
'historyRenderer' => new HistoryRenderer( $templating,
$this ),
@@ -555,6 +565,9 @@
if ( isset( $options['postId'] ) ) {
$rootPost = $this->loadRootPost();
if ( !$rootPost ) {
+ return;
+ } elseif ( !$this->permissions->isAllowed( $rootPost,
'view' ) ) {
+ $this->addError( 'permissions', wfMessage(
'flow-error-not-allowed' ) );
return;
}
@@ -587,6 +600,9 @@
$topic = $this->workflow;
$rootPost = $this->loadRootPost();
if ( !$rootPost ) {
+ return;
+ } elseif ( !$this->permissions->isAllowed( $rootPost, 'view' )
) {
+ $this->addError( 'permissions', wfMessage(
'flow-error-not-allowed' ) );
return;
}
@@ -748,12 +764,8 @@
$rootPost = $this->rootLoader->get( $this->workflow->getId() );
- if ( $this->permissions->isAllowed( $rootPost, 'view' ) ) {
- // topicTitle is same as root, difference is root has
children populated to full depth
- return $this->topicTitle = $this->root = $rootPost;
- }
-
- $this->addError( 'moderation', wfMessage(
'flow-error-not-allowed' ) );
+ // topicTitle is same as root, difference is root has children
populated to full depth
+ return $this->topicTitle = $this->root = $rootPost;
}
// Loads only the title, as opposed to loadRootPost which gets the
entire tree of posts.
@@ -776,11 +788,6 @@
// looking for loadRootPost
$this->topicTitle->setChildren( array() );
$this->topicTitle->setDepth( 0 );
-
- if ( !$this->permissions->isAllowed( $this->topicTitle,
'view' ) ) {
- $this->topicTitle = null;
- $this->addError( 'permissions', wfMessage(
'flow-error-not-allowed' ) );
- }
}
return $this->topicTitle;
}
@@ -840,12 +847,7 @@
$post->setDepth( count( $rootPath ) - 1 );
}
- if ( $this->permissions->isAllowed( $topicTitle, 'view' )
- && $this->permissions->isAllowed( $post, 'view' ) ) {
- return $post;
- }
-
- $this->addError( 'moderation', wfMessage(
'flow-error-not-allowed' ) );
+ return $post;
}
protected function loadRequestedRevision( $revisionId ) {
@@ -857,9 +859,6 @@
if ( !$found ) {
throw new \MWException( 'The requested revision could
not be found' );
- } else if ( !$this->permissions->isAllowed( $found, 'view' ) ) {
- $this->addError( 'moderation', wfMessage(
'flow-error-not-allowed' ) );
- return null;
}
// using the path to the root post, we can know the post's depth
--
To view, visit https://gerrit.wikimedia.org/r/102201
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: If6bfbb02891aee19cd73c44dc4d091c832cde8b1
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/Flow
Gerrit-Branch: master
Gerrit-Owner: Matthias Mullie <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
