From b218b0988949f14e6b6eeca7bf5babec54e36ee7 Mon Sep 17 00:00:00 2001 From: Martin Urbanec Date: Sun, 28 Nov 2021 16:06:35 +0100 Subject: [PATCH] SECURITY: Do not let globally blocked users in This is a quite hacky solution for the job, and it will fatal in case the user meets all of the following conditions: a) has the 'edit' right, b) is not locally/globally blocked, c) PermissionManager::userCan() returns false However, throwing is likely better than a permission error, at least from security's PoV. Bug: T296578 Change-Id: I121eca1f7c86c17aba510fc5a50de347792f5aab --- .../Specials/SetEntitySchemaLabelDescriptionAliases.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/MediaWiki/Specials/SetEntitySchemaLabelDescriptionAliases.php b/src/MediaWiki/Specials/SetEntitySchemaLabelDescriptionAliases.php index b42b9a8..d43bf79 100644 --- a/src/MediaWiki/Specials/SetEntitySchemaLabelDescriptionAliases.php +++ b/src/MediaWiki/Specials/SetEntitySchemaLabelDescriptionAliases.php @@ -48,7 +48,8 @@ class SetEntitySchemaLabelDescriptionAliases extends SpecialPage { public function __construct( $htmlFormProvider = HTMLForm::class ) { parent::__construct( - 'SetEntitySchemaLabelDescriptionAliases' + 'SetEntitySchemaLabelDescriptionAliases', + 'edit' ); $this->htmlFormProvider = $htmlFormProvider; @@ -407,11 +408,11 @@ class SetEntitySchemaLabelDescriptionAliases extends SpecialPage { } private function checkBlocked( LinkTarget $title ) { - if ( MediaWikiServices::getInstance()->getPermissionManager() - ->isBlockedFrom( $this->getUser(), $title ) + if ( !MediaWikiServices::getInstance()->getPermissionManager() + ->userCan( 'edit', $this->getUser(), $title ) ) { // @phan-suppress-next-line PhanTypeMismatchArgumentNullable - throw new UserBlockedError( $this->getUser()->getBlock() ); + throw new UserBlockedError( $this->getUser()->getBlock() ?? $this->getUser()->getGlobalBlock() ); } } -- 2.20.1