From 3e5c0e901f14c5c5c17d1f95212786961f45be37 Mon Sep 17 00:00:00 2001
From: dylsss <dylssswp@gmail.com>
Date: Sat, 8 Jan 2022 20:56:17 +0000
Subject: [PATCH] SECURITY: Disallow blocked users from resetting transcodes

Only that the user had the right itself was checked, rather than
fully checking that the user has permission to perform the
transcode-reset action.

Bug: T160800
Change-Id: I285c7c189af350be22f5de7b1c6757ad7479a20c
---
 includes/ApiTranscodeReset.php | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/includes/ApiTranscodeReset.php b/includes/ApiTranscodeReset.php
index 04782581..91e87f64 100644
--- a/includes/ApiTranscodeReset.php
+++ b/includes/ApiTranscodeReset.php
@@ -21,16 +21,18 @@ class ApiTranscodeReset extends ApiBase {
 		if ( !$this->getConfig()->get( 'EnableTranscode' ) ) {
 			$this->dieWithError( 'apierror-timedmedia-disabledtranscode', 'disabledtranscode' );
 		}
-
-		// Confirm the user has the transcode-reset right
-		$this->checkUserRightsAny( 'transcode-reset' );
+		
 		$params = $this->extractRequestParams();
-
-		// Make sure we have a valid Title
 		$titleObj = Title::newFromText( $params['title'] );
+		
+		// Make sure we have a valid Title	
 		if ( !$titleObj || $titleObj->isExternal() ) {
 			$this->dieWithError( [ 'apierror-invalidtitle', wfEscapeWikiText( $params['title'] ) ] );
 		}
+
+		// Check that the user has permmission to reset transcodes on the file
+		$this->checkTitleUserPermissions( $titleObj, 'transcode-reset' );
+
 		// Make sure the title can be transcoded
 		if ( !TimedMediaHandlerHooks::isTranscodableTitle( $titleObj ) ) {
 			$this->dieWithError(
-- 
2.30.2