From 9bf90df423bcdfc03a6be1edbe3041e8258bfda5 Mon Sep 17 00:00:00 2001 From: Alexander Vorwerk Date: Sat, 25 Jun 2022 18:02:00 +0200 Subject: [PATCH] SECURITY: do not render suppressed usernames at Special:CheckUser Bug: T311337 Change-Id: I86f6b0f940d9946878fb118a2f577b08bfad7e20 --- includes/specials/SpecialCheckUser.php | 78 ++++++++++++++++++++----------- 1 file changed, 51 insertions(+), 27 deletions(-) diff --git a/includes/specials/SpecialCheckUser.php b/includes/specials/SpecialCheckUser.php index 5c82287..23d5048 100644 --- a/includes/specials/SpecialCheckUser.php +++ b/includes/specials/SpecialCheckUser.php @@ -1948,33 +1948,7 @@ class SpecialCheckUser extends SpecialPage { } else { $line .= ''; } - $line .= Linker::userLink( - $idforlinknfn, $row->cuc_user_text, $row->cuc_user_text ) . ''; - $line .= Linker::userToolLinksRedContribs( - $idforlink, - $row->cuc_user_text, - $user->getEditCount(), - // don't render parentheses in HTML markup (CSS will provide) - false - ); - // Get block info - if ( isset( $flagCache[$row->cuc_user_text] ) ) { - $flags = $flagCache[$row->cuc_user_text]; - } else { - $user = User::newFromName( $row->cuc_user_text, false ); - $ip = IPUtils::isIPAddress( $row->cuc_user_text ) ? $row->cuc_user_text : ''; - $flags = $this->userBlockFlags( $ip, $row->cuc_user, $user ); - $flagCache[$row->cuc_user_text] = $flags; - } - // Add any block information - if ( count( $flags ) ) { - $line .= ' ' . implode( ' ', $flags ); - } - // Action text, hackish ... - if ( $row->cuc_actiontext ) { - $line .= ' ' . Linker::formatComment( $row->cuc_actiontext ) . ' '; - } - // Comment + if ( $row->cuc_type == RC_EDIT || $row->cuc_type == RC_NEW ) { $revRecord = MediaWikiServices::getInstance() ->getRevisionLookup() @@ -2007,6 +1981,56 @@ class SpecialCheckUser extends SpecialPage { ); } } + + $hidden = !RevisionRecord::userCanBitfield( + $revRecord->getVisibility(), + RevisionRecord::DELETED_USER, + $this->getUser() + ); + } else { + // To make phan happy + $revRecord = null; + + $hidden = $user->isHidden() && !$this->getAuthority()->isAllowed( 'hideuser' ); + } + + if ( $hidden ) { + $line .= Html::element( + 'span', + [ 'class' => 'history-deleted' ], + $this->msg( 'rev-deleted-user' )->text() + ); + } else { + $line .= Linker::userLink( + $idforlinknfn, $row->cuc_user_text, $row->cuc_user_text ) . ''; + $line .= Linker::userToolLinksRedContribs( + $idforlink, + $row->cuc_user_text, + $user->getEditCount(), + // don't render parentheses in HTML markup (CSS will provide) + false + ); + } + + // Get block info + if ( isset( $flagCache[$row->cuc_user_text] ) ) { + $flags = $flagCache[$row->cuc_user_text]; + } else { + $user = User::newFromName( $row->cuc_user_text, false ); + $ip = IPUtils::isIPAddress( $row->cuc_user_text ) ? $row->cuc_user_text : ''; + $flags = $this->userBlockFlags( $ip, $row->cuc_user, $user ); + $flagCache[$row->cuc_user_text] = $flags; + } + // Add any block information + if ( count( $flags ) ) { + $line .= ' ' . implode( ' ', $flags ); + } + // Action text, hackish ... + if ( $row->cuc_actiontext ) { + $line .= ' ' . Linker::formatComment( $row->cuc_actiontext ) . ' '; + } + // Comment + if ( $row->cuc_type == RC_EDIT || $row->cuc_type == RC_NEW ) { if ( RevisionRecord::userCanBitfield( $revRecord->getVisibility(), RevisionRecord::DELETED_COMMENT, -- 2.17.1