Mglaser has uploaded a new change for review.
https://gerrit.wikimedia.org/r/176174
Change subject: SECURITY: Do not show log action if revdeleted
......................................................................
SECURITY: Do not show log action if revdeleted
Also do not include revdeleted entries in search results when
filtering by action if user cannot view that info.
Bug: 72222
Change-Id: I9f331c421c55323018765456d6a99229e1fff592
---
M includes/api/ApiQueryLogEvents.php
1 file changed, 11 insertions(+), 5 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/74/176174/1
diff --git a/includes/api/ApiQueryLogEvents.php
b/includes/api/ApiQueryLogEvents.php
index 917332b..5f9fae4 100644
--- a/includes/api/ApiQueryLogEvents.php
+++ b/includes/api/ApiQueryLogEvents.php
@@ -200,7 +200,8 @@
}
// Paranoia: avoid brute force searches (bug 17342)
- if ( $params['namespace'] !== null || !is_null( $title ) ||
!is_null( $user ) ) {
+ $hideActions = $params['namespace'] !== null || !is_null(
$title ) || !is_null( $params['action'] );
+ if ( $hideActions || !is_null( $user ) ) {
if ( !$this->getUser()->isAllowed( 'deletedhistory' ) )
{
$titleBits = LogPage::DELETED_ACTION;
$userBits = LogPage::DELETED_USER;
@@ -211,7 +212,7 @@
$titleBits = 0;
$userBits = 0;
}
- if ( ( $params['namespace'] !== null || !is_null(
$title ) ) && $titleBits ) {
+ if ( $hideActions && $titleBits ) {
$this->addWhere( $db->bitAnd( 'log_deleted',
$titleBits ) . " != $titleBits" );
}
if ( !is_null( $user ) && $userBits ) {
@@ -372,12 +373,18 @@
$title = Title::makeTitle( $row->log_namespace,
$row->log_title );
}
- if ( $this->fld_title || $this->fld_ids || $this->fld_details
&& $row->log_params !== '' ) {
+ if ( $this->fld_title || $this->fld_ids || $this->fld_type
+ || $this->fld_details && $row->log_params !== ''
+ ) {
if ( LogEventsList::isDeleted( $row,
LogPage::DELETED_ACTION ) ) {
$vals['actionhidden'] = '';
$anyHidden = true;
}
if ( LogEventsList::userCan( $row,
LogPage::DELETED_ACTION, $user ) ) {
+
+ if ( $this->fld_type ) {
+ $vals['action'] = $row->log_action;
+ }
if ( $this->fld_title ) {
ApiQueryBase::addTitleInfo( $vals,
$title );
}
@@ -399,9 +406,8 @@
}
}
- if ( $this->fld_type || $this->fld_action ) {
+ if ( $this->fld_type ) {
$vals['type'] = $row->log_type;
- $vals['action'] = $row->log_action;
}
if ( $this->fld_user || $this->fld_userid ) {
--
To view, visit https://gerrit.wikimedia.org/r/176174
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I9f331c421c55323018765456d6a99229e1fff592
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Mglaser <[email protected]>
Gerrit-Reviewer: CSteipp <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
