From 590aae9e0d8eedf14ec002b21a9b76055d5faa4a Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Mon, 13 Jun 2016 03:07:48 -0400 Subject: [PATCH] SECURITY: Do not allow users to undelete a page they can't edit or create If the page exists, it only checks edit rights, otherwise it checks both edit and create rights. This would only matter on wikis that have a non-default rights configuration where there are users with undelete rights but a restriction level enabled that prevents them from creating/editing pages (or they otherwise aren't allowed to edit/create) It should be noted that the error messages aren't used in the normal UI currently, but they could be in the future, and extensions could potentially be using them (The backend functions return them, but the UI functions in Special:Undelete ignore them) Bug: T108138 Change-Id: I164b80534cf89e0afca264e9de07431484af8508 --- includes/Title.php | 11 +++++++++++ includes/api/ApiUndelete.php | 8 ++++---- languages/i18n/en.json | 4 +++- languages/i18n/qqq.json | 4 +++- 4 files changed, 21 insertions(+), 6 deletions(-) diff --git a/includes/Title.php b/includes/Title.php index a54156f..63df758 100644 --- a/includes/Title.php +++ b/includes/Title.php @@ -2250,6 +2250,17 @@ class Title { ) { $errors[] = array( 'delete-toobig', $wgLang->formatNum( $wgDeleteRevisionsLimit ) ); } + } elseif ( $action === 'undelete' ) { + if ( count( $this->getUserPermissionsErrorsInternal( 'edit', $user, $rigor, true ) ) ) { + // Undeleting implies editing + $errors[] = [ 'undelete-cantedit' ]; + } + if ( !$this->exists() + && count( $this->getUserPermissionsErrorsInternal( 'create', $user, $rigor, true ) ) + ) { + // Undeleting where nothing currently exists implies creating + $errors[] = [ 'undelete-cantcreate' ]; + } } return $errors; } diff --git a/includes/api/ApiUndelete.php b/includes/api/ApiUndelete.php index 332ed51..9177470 100644 --- a/includes/api/ApiUndelete.php +++ b/includes/api/ApiUndelete.php @@ -32,10 +32,6 @@ class ApiUndelete extends ApiBase { public function execute() { $params = $this->extractRequestParams(); - if ( !$this->getUser()->isAllowed( 'undelete' ) ) { - $this->dieUsageMsg( 'permdenied-undelete' ); - } - if ( $this->getUser()->isBlocked() ) { $this->dieUsageMsg( 'blockedtext' ); } @@ -45,6 +41,10 @@ class ApiUndelete extends ApiBase { $this->dieUsageMsg( array( 'invalidtitle', $params['title'] ) ); } + if ( !$titleObj->userCan( 'undelete', $user, 'secure' ) ) { + $this->dieUsageMsg( 'permdenied-undelete' ); + } + // Convert timestamps if ( !isset( $params['timestamps'] ) ) { $params['timestamps'] = array(); diff --git a/languages/i18n/en.json b/languages/i18n/en.json index 8b674fa..41427a2 100644 --- a/languages/i18n/en.json +++ b/languages/i18n/en.json @@ -3535,5 +3535,7 @@ "expand_templates_generate_rawhtml": "Show raw HTML", "expand_templates_preview": "Preview", "expand_templates_preview_fail_html": "Because {{SITENAME}} has raw HTML enabled and there was a loss of session data, the preview is hidden as a precaution against JavaScript attacks.\n\nIf this is a legitimate preview attempt, please try again.\nIf it still does not work, try [[Special:UserLogout|logging out]] and logging back in.", - "expand_templates_preview_fail_html_anon": "Because {{SITENAME}} has raw HTML enabled and you are not logged in, the preview is hidden as a precaution against JavaScript attacks.\n\nIf this is a legitimate preview attempt, please [[Special:UserLogin|log in]] and try again." + "expand_templates_preview_fail_html_anon": "Because {{SITENAME}} has raw HTML enabled and you are not logged in, the preview is hidden as a precaution against JavaScript attacks.\n\nIf this is a legitimate preview attempt, please [[Special:UserLogin|log in]] and try again.", + "undelete-cantedit": "You cannot undelete this page as you are not allowed to edit this page.", + "undelete-cantcreate": "You cannot undelete this page as there is no existing page with this name and you are not allowed to create this page." } diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json index 4d8fb9b..b9edc3b 100644 --- a/languages/i18n/qqq.json +++ b/languages/i18n/qqq.json @@ -3699,5 +3699,7 @@ n* $1 - the action specified in the url.", "expand_templates_generate_rawhtml": "Used as checkbox label.", "expand_templates_preview": "{{Identical|Preview}}", "expand_templates_preview_fail_html": "Used as error message in Preview section of [[Special:ExpandTemplates]] page.", - "expand_templates_preview_fail_html_anon": "Used as error message in Preview section of [[Special:ExpandTemplates]] page." + "expand_templates_preview_fail_html_anon": "Used as error message in Preview section of [[Special:ExpandTemplates]] page.", + "undelete-cantedit": "Shown if the user tries to undelete a page that they cannot edit", + "undelete-cantcreate": "Shown if the user tries to undelete a page which currently does not exist, and they are not allowed to create it. This could for example happen on a wiki with custom protection levels where the page name has been create-protected and the user has the right to undelete but not the right to edit protected pages." } -- 2.9.3