From 5982709c6443050dbb971437d9607b1bda392b82 Mon Sep 17 00:00:00 2001 From: Daimona Eaytoy Date: Wed, 27 Nov 2019 12:03:10 +0100 Subject: [PATCH] SECURITY: Skip deleted RCs in /test if we're only showing matches Otherwise we'd be telling whether the filter matches or not the edit. If we're showing all edits regardless of whether they match the filter, we can keep showing the row: it will be redacted (and the filter result hidden) by AbuseFilterChangesList. Bug: T223654 Change-Id: Ib52344c731fbfd90e4247d4b762af5c1e6421ea3 --- includes/Views/AbuseFilterViewTestBatch.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/includes/Views/AbuseFilterViewTestBatch.php b/includes/Views/AbuseFilterViewTestBatch.php index da985b2f..376a85a6 100644 --- a/includes/Views/AbuseFilterViewTestBatch.php +++ b/includes/Views/AbuseFilterViewTestBatch.php @@ -222,6 +222,16 @@ class AbuseFilterViewTestBatch extends AbuseFilterView { if ( $result || $this->mShowNegative ) { // Stash result in RC item $rc = RecentChange::newFromRow( $row ); + if ( + (int)$rc->getAttribute( 'rc_deleted' ) !== 0 && + !$changesList->userCan( $rc, Revision::SUPPRESSED_ALL ) && + !$this->mShowNegative + ) { + // If the RC is deleted, the user can't see it, and we're only showing matches, + // always skip this row. If mShowNegative is true, we can still show the row + // because we won't tell whether it matches the given filter. + continue; + } // @phan-suppress-next-line PhanUndeclaredProperty not a big deal $rc->filterResult = $result; $rc->counter = $counter++;