From 0a1fde173e4daa069250c4aa3a27f16b5b6d25bb Mon Sep 17 00:00:00 2001 From: Daimona Eaytoy Date: Fri, 18 Jan 2019 13:05:43 +0100 Subject: [PATCH] SECURITY: Check visibility for each version in ViewDiff Instead of checking if the filter is currently hidden, check the visibility for each version and, if the user cannot see private filters, only show the diff if none of the revision is hidden. Also avoid showing a "diff" link if the user cannot see it. Bug: T104807 Change-Id: Ie23e8234ae550273bf3f6f9c5ac45b7fc54eec2a --- includes/Views/AbuseFilterViewDiff.php | 10 +++++++ includes/pagers/AbuseFilterHistoryPager.php | 32 +++++++++++++++++---- 2 files changed, 36 insertions(+), 6 deletions(-) diff --git a/includes/Views/AbuseFilterViewDiff.php b/includes/Views/AbuseFilterViewDiff.php index 9dc50b10..7e391318 100644 --- a/includes/Views/AbuseFilterViewDiff.php +++ b/includes/Views/AbuseFilterViewDiff.php @@ -117,6 +117,16 @@ class AbuseFilterViewDiff extends AbuseFilterView { return false; } + if ( !AbuseFilter::canViewPrivate( $this->getUser() ) && + ( + in_array( 'hidden', explode( ',', $this->mOldVersion['info']['flags'] ) ) || + in_array( 'hidden', explode( ',', $this->mNewVersion['info']['flags'] ) ) + ) + ) { + $this->getOutput()->addWikiMsg( 'abusefilter-history-error-hidden' ); + return false; + } + $this->mNextHistoryId = $this->getNextHistoryId( $this->mNewVersion['meta']['history_id'] ); diff --git a/includes/pagers/AbuseFilterHistoryPager.php b/includes/pagers/AbuseFilterHistoryPager.php index 55dfb901..870cae6d 100644 --- a/includes/pagers/AbuseFilterHistoryPager.php +++ b/includes/pagers/AbuseFilterHistoryPager.php @@ -120,15 +120,35 @@ class AbuseFilterHistoryPager extends TablePager { $formatted = $display_actions; break; case 'afh_id': + // Set a link to a diff with the previous version if this isn't the first edit to the filter. + // Like in AbuseFilterViewDiff, don't show it if the user cannot see private filters and any + // of the versions is hidden. $formatted = ''; if ( AbuseFilter::getFirstFilterChange( $row->afh_filter ) != $value ) { - // Set a link to a diff with the previous version if this isn't the first edit to the filter - $title = $this->mPage->getTitle( - 'history/' . $row->afh_filter . "/diff/prev/$value" ); - $formatted = $this->linkRenderer->makeLink( - $title, - new HtmlArmor( $this->msg( 'abusefilter-history-diff' )->parse() ) + $dbr = wfGetDB( DB_REPLICA ); + $oldFlags = $dbr->selectField( + 'abuse_filter_history', + 'afh_flags', + [ + 'afh_filter' => $row->afh_filter, + 'afh_id <' . $dbr->addQuotes( $row->afh_id ), + ], + __METHOD__, + [ 'ORDER BY' => 'afh_timestamp DESC' ] ); + if ( $this->getUser()->isAllowedAny( 'abusefilter-modify', 'abusefilter-view-private' ) || + ( + !in_array( 'hidden', explode( ',', $row->afh_flags ) ) && + !in_array( 'hidden', explode( ',', $oldFlags ) ) + ) + ) { + $title = $this->mPage->getTitle( + 'history/' . $row->afh_filter . "/diff/prev/$value" ); + $formatted = $this->linkRenderer->makeLink( + $title, + new HtmlArmor( $this->msg( 'abusefilter-history-diff' )->parse() ) + ); + } } break; default: -- 2.17.1