From 0b956a0d07981cfadd43e53591e6077dd87d513b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Such=C3=A1nek?= <matejsuchanek97@gmail.com>
Date: Fri, 7 Apr 2017 19:23:11 +0000
Subject: [PATCH] Disallow editing abuse filters for blocked users

This also changes the previous behavior - users who lost their rights
between opening and saving a filter now also get the message.

Additionally, User::matchEditToken() now doesn't use the global
$wgRequest.

Bug: T142389
Change-Id: I931068ff79a6835ad6e63a12ce9dbfcc1cb6c8b9
---
 Views/AbuseFilterView.php     |  5 ++++-
 Views/AbuseFilterViewEdit.php | 15 ++++++++++-----
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/Views/AbuseFilterView.php b/Views/AbuseFilterView.php
index 6a40283ee..a6064aea6 100644
--- a/Views/AbuseFilterView.php
+++ b/Views/AbuseFilterView.php
@@ -35,7 +35,10 @@ abstract class AbuseFilterView extends ContextSource {
 	 * @return bool
 	 */
 	public function canEdit() {
-		return $this->getUser()->isAllowed( 'abusefilter-modify' );
+		return (
+			!$this->getUser()->isBlocked() &&
+			$this->getUser()->isAllowed( 'abusefilter-modify' )
+		);
 	}
 
 	/**
diff --git a/Views/AbuseFilterViewEdit.php b/Views/AbuseFilterViewEdit.php
index 21d4f94ba..59d67a34c 100644
--- a/Views/AbuseFilterViewEdit.php
+++ b/Views/AbuseFilterViewEdit.php
@@ -24,16 +24,16 @@ class AbuseFilterViewEdit extends AbuseFilterView {
 		// Add default warning messages
 		$this->exposeWarningMessages();
 
-		if ( $filter == 'new' && !$user->isAllowed( 'abusefilter-modify' ) ) {
+		if ( $filter == 'new' && !$this->canEdit() ) {
 			$out->addWikiMsg( 'abusefilter-edit-notallowed' );
 			return;
 		}
 
 		$editToken = $request->getVal( 'wpEditToken' );
-		$didEdit = $this->canEdit()
-			&& $user->matchEditToken( $editToken, array( 'abusefilter', $filter ) );
+		$tokenMatches = $user->matchEditToken(
+			$editToken, array( 'abusefilter', $filter ), $request );
 
-		if ( $didEdit ) {
+		if ( $tokenMatches && $this->canEdit() ) {
 			// Check syntax
 			$syntaxerr = AbuseFilter::checkSyntax( $request->getVal( 'wpFilterRules' ) );
 			if ( $syntaxerr !== true ) {
@@ -268,6 +268,11 @@ class AbuseFilterViewEdit extends AbuseFilterView {
 				)
 			);
 		} else {
+			if ( $tokenMatches ) {
+				// lost rights meanwhile
+				$out->addWikiMsg( 'abusefilter-edit-notallowed' );
+			}
+
 			if ( $history_id ) {
 				$out->addWikiMsg(
 					'abusefilter-edit-oldwarning', $this->mHistoryID, $this->mFilter );
@@ -483,7 +488,7 @@ class AbuseFilterViewEdit extends AbuseFilterView {
 				);
 			}
 
-			if ( $user->isAllowed( 'abusefilter-modify' ) ) {
+			if ( $this->canEdit() ) {
 				// Test link
 				$tools .= Xml::tags(
 					'p', null,