From 171cfaad80466d6bd390596798db033bdb5466fc Mon Sep 17 00:00:00 2001
From: MusikAnimal <musikanimal@gmail.com>
Date: Fri, 11 Apr 2025 17:56:57 -0400
Subject: [PATCH] SECURITY: BlockList: Hide rows containing suppressed users

Bug: T391343
Change-Id: I8f4aa74b85171ab595855a1aec975259573fb390
---
 includes/specials/pagers/BlockListPager.php   | 15 ++++++-----
 .../specials/pagers/BlockListPagerTest.php    | 27 +++++++++++++++++++
 2 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/includes/specials/pagers/BlockListPager.php b/includes/specials/pagers/BlockListPager.php
index 3b05637dd77..5b2f1810bf1 100644
--- a/includes/specials/pagers/BlockListPager.php
+++ b/includes/specials/pagers/BlockListPager.php
@@ -507,6 +507,14 @@ class BlockListPager extends TablePager {
 		# Filter out any expired blocks
 		$info['conds'][] = $db->expr( 'bl_expiry', '>', $db->timestamp() );
 
+		# Determine if the user is hidden
+		# With multiblocks we can't just rely on bl_deleted in the row being formatted
+		$info['fields']['hu_deleted'] = $this->hideUserUtils->getExpression(
+			$db,
+			'block_target.bt_user',
+			HideUserUtils::HIDDEN_USERS
+		);
+
 		# Filter out blocks with the deleted option if the user doesn't
 		# have permission to see hidden users
 		# TODO: consider removing this -- we could just redact them instead.
@@ -516,14 +524,9 @@ class BlockListPager extends TablePager {
 		# was a convenient way to avoid showing the target name.
 		if ( !$this->getAuthority()->isAllowed( 'hideuser' ) ) {
 			$info['conds']['bl_deleted'] = 0;
+			$info['conds']['hu_deleted'] = 0;
 		}
 
-		# Determine if the user is hidden
-		# With multiblocks we can't just rely on bl_deleted in the row being formatted
-		$info['fields']['hu_deleted'] = $this->hideUserUtils->getExpression(
-			$db,
-			'block_target.bt_user',
-			HideUserUtils::HIDDEN_USERS );
 		return $info;
 	}
 
diff --git a/tests/phpunit/includes/specials/pagers/BlockListPagerTest.php b/tests/phpunit/includes/specials/pagers/BlockListPagerTest.php
index 4f92cb617d3..dc72a4028e7 100644
--- a/tests/phpunit/includes/specials/pagers/BlockListPagerTest.php
+++ b/tests/phpunit/includes/specials/pagers/BlockListPagerTest.php
@@ -13,6 +13,7 @@ use MediaWiki\Context\RequestContext;
 use MediaWiki\Linker\LinkRenderer;
 use MediaWiki\MainConfigNames;
 use MediaWiki\Pager\BlockListPager;
+use MediaWiki\Permissions\SimpleAuthority;
 use MediaWiki\Permissions\UltimateAuthority;
 use MediaWiki\Request\FauxRequest;
 use MediaWiki\SpecialPage\SpecialPageFactory;
@@ -346,6 +347,32 @@ class BlockListPagerTest extends MediaWikiIntegrationTestCase {
 		$this->assertEquals( $title->getNamespace(), $restriction->getTitle()->getNamespace() );
 	}
 
+	/**
+	 * @covers ::getQueryInfo
+	 */
+	public function testGetQueryInfo(): void {
+		$pager = $this->getBlockListPager();
+		RequestContext::getMain()->setAuthority(
+			new SimpleAuthority(
+				$this->getTestSysop()->getUserIdentity(),
+				[ 'block' ]
+			)
+		);
+		$queryInfo = $pager->getQueryInfo();
+		$this->assertEquals( $queryInfo['conds']['bl_deleted'], 0 );
+		$this->assertEquals( $queryInfo['conds']['hu_deleted'], 0 );
+		// Switch to suppressor
+		RequestContext::getMain()->setAuthority(
+			new SimpleAuthority(
+				$this->getTestSysop()->getUserIdentity(),
+				[ 'block', 'hideuser' ]
+			)
+		);
+		$queryInfo = $pager->getQueryInfo();
+		$this->assertArrayNotHasKey( 'bl_deleted', $queryInfo['conds'] );
+		$this->assertArrayNotHasKey( 'hu_deleted', $queryInfo['conds'] );
+	}
+
 	/**
 	 * T352310 regression test
 	 * @coversNothing
-- 
2.34.1