From 06317dc9888f809ea332067aca3953ba7201b848 Mon Sep 17 00:00:00 2001
From: Alexander Vorwerk <alec@vc-celle.de>
Date: Sun, 20 Jun 2021 18:38:02 +0200
Subject: [PATCH] SECURITY: Act like users don't exist if hidden from viewer

Bug: T285190
Change-Id: I4e4dbcad61e1d4f6fd8b038bf63d19c69081a8ec
---
 includes/specials/SpecialGlobalGroupMembership.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/includes/specials/SpecialGlobalGroupMembership.php b/includes/specials/SpecialGlobalGroupMembership.php
index 3cb2a0d5..6b4d9023 100644
--- a/includes/specials/SpecialGlobalGroupMembership.php
+++ b/includes/specials/SpecialGlobalGroupMembership.php
@@ -105,7 +105,11 @@ class SpecialGlobalGroupMembership extends UserrightsPage {
 		} else {
 			$user = CentralAuthGroupMembershipProxy::newFromName( $username );
 
-			if ( !$user ) {
+			// If the user exists, but is hidden from the viewer, pretend that it does not exist. - T285190
+			$globalUser = CentralAuthUser::getMasterInstanceByName( $username );
+			if ( !$user || ( ( $globalUser->isOversighted() || $globalUser->isHidden() ) &&
+				!$this->getContext()->getAuthority()->isAllowed( 'centralauth-oversight' ) )
+			) {
 				return Status::newFatal( 'nosuchusershort', $username );
 			}
 		}
-- 
2.26.1.windows.1