From 33445addff289ac7423a5f65ef1196fec285b7f3 Mon Sep 17 00:00:00 2001
From: Daimona Eaytoy <daimona.wiki@gmail.com>
Date: Tue, 9 Mar 2021 16:09:41 -0600
Subject: [PATCH] SECURITY: Remove deleted rows from /examine and /test

This is kind of a nuclear option, if anything in a row is hidden, we
hide the whole row. This is just to keep this patch slim. A public
follow-up will adjust the visibility

Bug: T274152
Change-Id: I6063c02fa261c4cc0e6dbbb2db4e111eb85912c2
---
 includes/Pager/AbuseFilterExaminePager.php | 3 ++-
 includes/View/AbuseFilterView.php          | 8 ++++++++
 includes/View/AbuseFilterViewTestBatch.php | 1 +
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/includes/Pager/AbuseFilterExaminePager.php b/includes/Pager/AbuseFilterExaminePager.php
index 1d32a8b1..e1e0788a 100644
--- a/includes/Pager/AbuseFilterExaminePager.php
+++ b/includes/Pager/AbuseFilterExaminePager.php
@@ -59,12 +59,13 @@ class AbuseFilterExaminePager extends ReverseChronologicalPager {
 		}
 
 		$conds[] = $this->mPage->buildTestConditions( $dbr );
+		$conds = array_merge( $conds, $this->mPage->buildVisibilityConditions() );
 
 		$rcQuery = RecentChange::getQueryInfo();
 		$info = [
 			'tables' => $rcQuery['tables'],
 			'fields' => $rcQuery['fields'],
-			'conds' => array_filter( $conds ),
+			'conds' => $conds,
 			'join_conds' => $rcQuery['joins'],
 		];
 
diff --git a/includes/View/AbuseFilterView.php b/includes/View/AbuseFilterView.php
index ec6dd98d..421d09f9 100644
--- a/includes/View/AbuseFilterView.php
+++ b/includes/View/AbuseFilterView.php
@@ -188,6 +188,14 @@ abstract class AbuseFilterView extends ContextSource {
 		], LIST_OR );
 	}
 
+	/**
+	 * @todo Check what the user can actually see and use a proper bitmask. Core should provide such a method though.
+	 * @return array
+	 */
+	public function buildVisibilityConditions() : array {
+		return [ 'rc_deleted' => 0 ];
+	}
+
 	/**
 	 * @param string|int $id
 	 * @param string|null $text
diff --git a/includes/View/AbuseFilterViewTestBatch.php b/includes/View/AbuseFilterViewTestBatch.php
index 4ab70f58..e850a3fc 100644
--- a/includes/View/AbuseFilterViewTestBatch.php
+++ b/includes/View/AbuseFilterViewTestBatch.php
@@ -255,6 +255,7 @@ class AbuseFilterViewTestBatch extends AbuseFilterView {
 
 		$action = $this->mTestAction !== '0' ? $this->mTestAction : false;
 		$conds[] = $this->buildTestConditions( $dbr, $action );
+		$conds = array_merge( $conds, $this->buildVisibilityConditions() );
 
 		$rcQuery = RecentChange::getQueryInfo();
 		$res = $dbr->select(
-- 
2.28.0