From 8b3d76f6f393d32ec57a30ebc942317869270b0b Mon Sep 17 00:00:00 2001
From: Alexander Vorwerk <alec@vc-celle.de>
Date: Sun, 20 Jun 2021 18:38:02 +0200
Subject: [PATCH] SECURITY: Act like users don't exist if hidden from viewer

Bug: T285190
Change-Id: I4e4dbcad61e1d4f6fd8b038bf63d19c69081a8ec
---
 .../specials/SpecialGlobalGroupMembership.php  | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/includes/specials/SpecialGlobalGroupMembership.php b/includes/specials/SpecialGlobalGroupMembership.php
index 3cb2a0d5..68c2883c 100644
--- a/includes/specials/SpecialGlobalGroupMembership.php
+++ b/includes/specials/SpecialGlobalGroupMembership.php
@@ -97,15 +97,25 @@ class SpecialGlobalGroupMembership extends UserrightsPage {
 
 		if ( $username[0] == '#' ) {
 			$id = intval( substr( $username, 1 ) );
-			$user = CentralAuthGroupMembershipProxy::newFromId( $id );
-
-			if ( !$user ) {
+			$globalUser = CentralAuthUser::newMasterInstanceFromId( $id );
+			$user = $globalUser ? new CentralAuthGroupMembershipProxy( $globalUser ) : null;
+
+			// If the user exists, but is hidden from the viewer, pretend that it does
+			// not exist. - T285190/T260863
+			if ( !$user || ( ( $globalUser->isOversighted() || $globalUser->isHidden() ) &&
+				!$this->getContext()->getAuthority()->isAllowed( 'centralauth-oversight' ) )
+			) {
 				return Status::newFatal( 'noname', $id );
 			}
 		} else {
 			$user = CentralAuthGroupMembershipProxy::newFromName( $username );
 
-			if ( !$user ) {
+			// If the user exists, but is hidden from the viewer, pretend that it does
+			// not exist. - T285190
+			$globalUser = CentralAuthUser::getMasterInstanceByName( $username );
+			if ( !$user || ( ( $globalUser->isOversighted() || $globalUser->isHidden() ) &&
+				!$this->getContext()->getAuthority()->isAllowed( 'centralauth-oversight' ) )
+			) {
 				return Status::newFatal( 'nosuchusershort', $username );
 			}
 		}
-- 
2.17.1