From f7030004cac0e5325f030ba56a450932b45c92a2 Mon Sep 17 00:00:00 2001
From: Alexander Vorwerk <zabe@avorwerk.net>
Date: Mon, 1 Aug 2022 21:55:57 +0200
Subject: [PATCH] SECURITY: check for autopatrol when marking own articles as
 reviewed

Bug: T314245
Change-Id: I9a3c9dafc634c59d7dbf1d6d62da389046a0e22e
---
 includes/Api/ApiPageTriageAction.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/includes/Api/ApiPageTriageAction.php b/includes/Api/ApiPageTriageAction.php
index cc60ed4..6a2c73f 100644
--- a/includes/Api/ApiPageTriageAction.php
+++ b/includes/Api/ApiPageTriageAction.php
@@ -12,6 +12,7 @@ use MediaWiki\Extension\PageTriage\PageTriage;
 use MediaWiki\Extension\PageTriage\PageTriageUtil;
 use MediaWiki\MediaWikiServices;
 use Wikimedia\ParamValidator\ParamValidator;
+use MediaWiki\Revision\RevisionRecord;
 
 class ApiPageTriageAction extends ApiBase {
 
@@ -33,6 +34,15 @@ class ApiPageTriageAction extends ApiBase {
 		$note = $params['note'];
 
 		if ( isset( $params['reviewed'] ) ) {
+			// T314245 - do not allow someone to mark their own articles as reviewed
+			// when not being autopatrolled
+			$revStore = MediaWikiServices::getInstance()->getRevisionStore();
+			if ( $this->getUser()->equals( $revStore->getFirstRevision( $article->getPage() )->getUser( RevisionRecord::RAW ) )
+				&& !$this->getAuthority()->isAllowed( 'autopatrol' )
+			) {
+				$this->dieWithError( 'markedaspatrollederror-noautopatrol' );
+			}
+
 			$result = $this->markAsReviewed( $article, $params['reviewed'], $note, $params['skipnotif'] );
 		} else {
 			$result = $this->enqueue( $article, $note );
-- 
2.17.1