From d8a8df78569f339c0dafffbc0481ae85fc1deeed Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Mon, 13 Jun 2016 03:07:48 -0400
Subject: [PATCH] SECURITY: Do not allow users to undelete a page they can't
 edit or create

If the page exists, it only checks edit rights, otherwise it
checks both edit and create rights.

This would only matter on wikis that have a non-default rights
configuration where there are users with undelete rights but a
restriction level enabled that prevents them from creating/editing
pages (or they otherwise aren't allowed to edit/create)

It should be noted that the error messages aren't used in the
normal UI currently, but they could be in the future, and
extensions could potentially be using them (The backend functions
return them, but the UI functions in Special:Undelete ignore
them)

Bug: T108138
Change-Id: I164b80534cf89e0afca264e9de07431484af8508
---
 includes/Title.php           | 13 ++++++++++++-
 includes/api/ApiUndelete.php |  7 ++++---
 languages/i18n/en.json       |  4 +++-
 languages/i18n/qqq.json      |  4 +++-
 4 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/includes/Title.php b/includes/Title.php
index 213572b..2942f9f 100644
--- a/includes/Title.php
+++ b/includes/Title.php
@@ -2280,7 +2280,18 @@ class Title implements LinkTarget {
 			) {
 				$errors[] = [ 'delete-toobig', $wgLang->formatNum( $wgDeleteRevisionsLimit ) ];
 			}
-		}
+		} elseif ( $action === 'undelete' ) {
+			if ( count( $this->getUserPermissionsErrorsInternal( 'edit', $user, $rigor, true ) ) ) {
+				// Undeleting implies editing
+				$errors[] = [ 'undelete-cantedit' ];
+			}
+			if ( !$this->exists()
+				&& count( $this->getUserPermissionsErrorsInternal( 'create', $user, $rigor, true ) )
+			) {
+				// Undeleting where nothing currently exists implies creating
+				$errors[] = [ 'undelete-cantcreate' ];
+			}
+ 		}
 		return $errors;
 	}
 
diff --git a/includes/api/ApiUndelete.php b/includes/api/ApiUndelete.php
index e24f2ce..e201c4e 100644
--- a/includes/api/ApiUndelete.php
+++ b/includes/api/ApiUndelete.php
@@ -34,9 +34,6 @@ class ApiUndelete extends ApiBase {
 
 		$params = $this->extractRequestParams();
 		$user = $this->getUser();
-		if ( !$user->isAllowed( 'undelete' ) ) {
-			$this->dieUsageMsg( 'permdenied-undelete' );
-		}
 
 		if ( $user->isBlocked() ) {
 			$this->dieBlocked( $user->getBlock() );
@@ -47,6 +44,10 @@ class ApiUndelete extends ApiBase {
 			$this->dieUsageMsg( [ 'invalidtitle', $params['title'] ] );
 		}
 
+		if ( !$titleObj->userCan( 'undelete', $user, 'secure' ) ) {
+			$this->dieUsageMsg( 'permdenied-undelete' );
+		}
+
 		// Check if user can add tags
 		if ( !is_null( $params['tags'] ) ) {
 			$ableToTag = ChangeTags::canAddTagsAccompanyingChange( $params['tags'], $user );
diff --git a/languages/i18n/en.json b/languages/i18n/en.json
index 5326203..e2070df 100644
--- a/languages/i18n/en.json
+++ b/languages/i18n/en.json
@@ -4239,5 +4239,7 @@
 	"restrictionsfield-label": "Allowed IP ranges:",
 	"restrictionsfield-help": "One IP address or CIDR range per line. To enable everything, use<br><code>0.0.0.0/0</code><br><code>::/0</code>",
 	"edit-error-short": "Error: $1",
-	"edit-error-long": "Errors:\n\n$1"
+	"edit-error-long": "Errors:\n\n$1",
+	"undelete-cantedit": "You cannot undelete this page as you are not allowed to edit this page.",
+	"undelete-cantcreate": "You cannot undelete this page as there is no existing page with this name and you are not allowed to create this page."
 }
diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json
index 87fc9eb..84ba4f5 100644
--- a/languages/i18n/qqq.json
+++ b/languages/i18n/qqq.json
@@ -4423,5 +4423,7 @@
 	"restrictionsfield-label": "Field label shown for restriction fields (e.g. on Special:BotPassword).",
 	"restrictionsfield-help": "Placeholder text displayed in restriction fields (e.g. on Special:BotPassword).",
 	"edit-error-short": "Error message. Parameters:\n* $1 - the error details\nSee also:\n* {{msg-mw|edit-error-long}}\n{{Identical|Error}}",
-	"edit-error-long": "Error message. Parameters:\n* $1 - the error details\nSee also:\n* {{msg-mw|edit-error-short}}\n{{Identical|Error}}"
+	"edit-error-long": "Error message. Parameters:\n* $1 - the error details\nSee also:\n* {{msg-mw|edit-error-short}}\n{{Identical|Error}}",
+	"undelete-cantedit": "Shown if the user tries to undelete a page that they cannot edit",
+	"undelete-cantcreate": "Shown if the user tries to undelete a page which currently does not exist, and they are not allowed to create it. This could for example happen on a wiki with custom protection levels where the page name has been create-protected and the user has the right to undelete but not the right to edit protected pages."
 }
-- 
2.9.3