mirror of
https://gerrit.wikimedia.org/r/mediawiki/extensions/AbuseFilter.git
synced 2024-12-04 18:38:25 +00:00
30227231f6
A filter using a protected variable can be loaded via filter id using testing tools even though the user might not have the right to view protected variables. This can potentially leak PII and as such, testing tools should check for the right before allowing protected filters to be seen. - Unload a filter asap if it uses protected variables and the requestor doesn't have viewing rights. This: + disallows loading of existing protected filters on page load + disallows testing against rules that use protected variables + disallows subsequent requests for protected filters (via API) There is a known bug (see T369620) where no user feedback is provided if an API request for a filter returns no result (typically when no filter matches the requested id). This commit adds another pathway to that bug (the filter exists but is protected and not returned by the API) but does not update this UI/UX. Bug: T364834 Change-Id: I6a572790edd743596d70c9c4a2ee52b4561e25f3 |
||
---|---|---|
.. | ||
AbuseFilterView.php | ||
AbuseFilterViewDiff.php | ||
AbuseFilterViewEdit.php | ||
AbuseFilterViewExamine.php | ||
AbuseFilterViewHistory.php | ||
AbuseFilterViewImport.php | ||
AbuseFilterViewList.php | ||
AbuseFilterViewRevert.php | ||
AbuseFilterViewTestBatch.php | ||
AbuseFilterViewTools.php | ||
HideAbuseLog.php |