From 0b50e51081c038144843030c86ddee94edfbf46a Mon Sep 17 00:00:00 2001
From: Reedy <reedy@wikimedia.org>
Date: Mon, 4 Jan 2021 18:06:09 +0000
Subject: [PATCH] SECURITY: Allow user to only apply protection they have right
 to do so via action=protect

'apierror-protect-invalidlevel' potentially wants updating at a later point as the
message isn't necessarily clear what the error is; the protection may be valid
but the users right to do so is not.

Bug: T270713
Change-Id: I72fe67264baa4123599ec424a7d780192ca54bcc
---
 includes/api/ApiProtect.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/includes/api/ApiProtect.php b/includes/api/ApiProtect.php
index 16f7a55a56..50f2521caf 100644
--- a/includes/api/ApiProtect.php
+++ b/includes/api/ApiProtect.php
@@ -67,6 +67,10 @@ class ApiProtect extends ApiBase {
 		}
 
 		$restrictionTypes = $titleObj->getRestrictionTypes();
+		$levels = $this->getPermissionManager()->getNamespaceRestrictionLevels(
+			$titleObj->getNamespace(),
+			$user
+		);
 
 		$protections = [];
 		$expiryarray = [];
@@ -85,7 +89,7 @@ class ApiProtect extends ApiBase {
 			if ( !in_array( $p[0], $restrictionTypes ) && $p[0] != 'create' ) {
 				$this->dieWithError( [ 'apierror-protect-invalidaction', wfEscapeWikiText( $p[0] ) ] );
 			}
-			if ( !in_array( $p[1], $this->getConfig()->get( 'RestrictionLevels' ) ) && $p[1] != 'all' ) {
+			if ( !in_array( $p[1], $levels ) && $p[1] != 'all' ) {
 				$this->dieWithError( [ 'apierror-protect-invalidlevel', wfEscapeWikiText( $p[1] ) ] );
 			}
 
-- 
2.24.3 (Apple Git-128)