Merge "SECURITY: Require view-private or modify for the evalexpression API"

i18n/api/en.json

@@ -57,6 +57,7 @@
 	"apihelp-abuselogprivatedetails-example-1": "Get private details for the AbuseLog entry with ID 1, using the reason \"example\".",
 	"apierror-abusefilter-canttest": "You don't have permission to test abuse filters.",
 	"apierror-abusefilter-cantcheck": "You don't have permission to check syntax of abuse filters.",
+	"apierror-abusefilter-canteval": "You don't have permission to evaluate AbuseFilter expressions.",
 	"apierror-abusefilter-nosuchlogid": "There is no abuselog entry with the id $1.",
 	"apierror-abusefilter-badsyntax": "The filter has invalid syntax."
 }

i18n/api/qqq.json

@@ -89,6 +89,7 @@
 	"apihelp-abuselogprivatedetails-example-1": "{{doc-apihelp-example|abuselogprivatedetails}}",
 	"apierror-abusefilter-canttest": "{{doc-apierror}}",
 	"apierror-abusefilter-cantcheck": "{{doc-apierror}}",
+	"apierror-abusefilter-canteval": "{{doc-apierror}}",
 	"apierror-abusefilter-nosuchlogid": "{{doc-apierror}}\n\nParameters:\n* $1 - AbuseFilter log ID number.",
 	"apierror-abusefilter-badsyntax": "{{doc-apierror}}"
 }

includes/api/ApiAbuseFilterEvalExpression.php

@@ -5,6 +5,11 @@ class ApiAbuseFilterEvalExpression extends ApiBase {
 	 * @see ApiBase::execute()
 	 */
 	public function execute() {
+		// "Anti-DoS"
+		if ( !AbuseFilter::canViewPrivate( $this->getUser() ) ) {
+			$this->dieWithError( 'apierror-abusefilter-canteval', 'permissiondenied' );
+		}
+
 		$params = $this->extractRequestParams();
 
 		$result = AbuseFilter::evaluateExpression( $params['expression'] );