From 06798f3f5f9d3c7a206830dffcbdf3b2beec38e5 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Wed, 29 Oct 2014 08:41:20 -0700
Subject: [PATCH] SECURITY: Do not show log action if revdeleted

Also do not include revdeleted entries in search results when
filtering by action if user cannot view that info.

Bug: 72222
Change-Id: I9f331c421c55323018765456d6a99229e1fff592
---
 includes/api/ApiQueryLogEvents.php | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/includes/api/ApiQueryLogEvents.php b/includes/api/ApiQueryLogEvents.php
index eb5ca4f..0c14b78 100644
--- a/includes/api/ApiQueryLogEvents.php
+++ b/includes/api/ApiQueryLogEvents.php
@@ -200,7 +200,8 @@ class ApiQueryLogEvents extends ApiQueryBase {
 		}
 
 		// Paranoia: avoid brute force searches (bug 17342)
-		if ( $params['namespace'] !== null || !is_null( $title ) || !is_null( $user ) ) {
+		$hideActions = $params['namespace'] !== null || !is_null( $title ) || !is_null( $params['action'] );
+		if ( $hideActions || !is_null( $user ) ) {
 			if ( !$this->getUser()->isAllowed( 'deletedhistory' ) ) {
 				$titleBits = LogPage::DELETED_ACTION;
 				$userBits = LogPage::DELETED_USER;
@@ -211,7 +212,7 @@ class ApiQueryLogEvents extends ApiQueryBase {
 				$titleBits = 0;
 				$userBits = 0;
 			}
-			if ( ( $params['namespace'] !== null || !is_null( $title ) ) && $titleBits ) {
+			if ( $hideActions && $titleBits ) {
 				$this->addWhere( $db->bitAnd( 'log_deleted', $titleBits ) . " != $titleBits" );
 			}
 			if ( !is_null( $user ) && $userBits ) {
@@ -372,12 +373,18 @@ class ApiQueryLogEvents extends ApiQueryBase {
 			$title = Title::makeTitle( $row->log_namespace, $row->log_title );
 		}
 
-		if ( $this->fld_title || $this->fld_ids || $this->fld_details && $row->log_params !== '' ) {
+		if ( $this->fld_title || $this->fld_ids || $this->fld_type
+			|| $this->fld_details && $row->log_params !== ''
+		) {
 			if ( LogEventsList::isDeleted( $row, LogPage::DELETED_ACTION ) ) {
 				$vals['actionhidden'] = '';
 				$anyHidden = true;
 			}
 			if ( LogEventsList::userCan( $row, LogPage::DELETED_ACTION, $user ) ) {
+
+				if ( $this->fld_type ) {
+					$vals['action'] = $row->log_action;
+				}
 				if ( $this->fld_title ) {
 					ApiQueryBase::addTitleInfo( $vals, $title );
 				}
@@ -399,9 +406,8 @@ class ApiQueryLogEvents extends ApiQueryBase {
 			}
 		}
 
-		if ( $this->fld_type || $this->fld_action ) {
+		if ( $this->fld_type ) {
 			$vals['type'] = $row->log_type;
-			$vals['action'] = $row->log_action;
 		}
 
 		if ( $this->fld_user || $this->fld_userid ) {
-- 
1.8.4.5