From bab6c698ebb4362d4f928e566a7b9cb7e198abe6 Mon Sep 17 00:00:00 2001
From: Matthew Flaschen <mflaschen@wikimedia.org>
Date: Mon, 10 Apr 2017 14:50:33 -0400
Subject: [PATCH] SECURITY: Don't treat non-existent user as "any anon"

Due to an issue with how the username was checked, it would show
all topics created by any anon when a non-existent user was requested.

Bug: T162621
Change-Id: I243712cedb75fc9c51dc45404eed65bf2d42c111
---
 Hooks.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Hooks.php b/Hooks.php
index 468f756..edf226b 100644
--- a/Hooks.php
+++ b/Hooks.php
@@ -1886,7 +1886,7 @@ class FlowHooks {
 		$userWhere = array();
 		if ( $username ) {
 			$user = User::newFromName( $username );
-			if ( $user ) {
+			if ( $user && $user->isLoggedIn() ) {
 				$userWhere = array( 'tree_orig_user_id' => $user->getId() );
 			} else {
 				$userWhere = array( 'tree_orig_user_ip' => $username );
-- 
2.1.4