wikimedia/mediawiki-extensions-VisualEditor
1
0
Fork 0
mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/VisualEditor synced 2024-11-23 22:13:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Act like users don't exist if hidden from viewer (VE edit notices)

Browse source 
Applying the changes from the MediaWiki core patch for T120883
(Ife272a0eb1f3322bc8eb30ca803bd21801acba3e) to our duplicated
code implementing the same functionality.

Bug: T270453
Change-Id: I1b2de322aa0c69eb6d3b3ffadaed3fbaa3a58bca
This commit is contained in:
Bartosz Dziewoński 2020-12-18 16:47:05 +01:00 committed by Reedy
parent beceb63ea0
commit 93dbd12a60
1 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
includes/ApiVisualEditor.php
View file

@ -485,10 +485,15 @@ class ApiVisualEditor extends ApiBase {
/* allow IP users*/ false /* allow IP users*/ false
); );
if ( $targetUserExists = ( $targetUser && $targetUser->isLoggedIn() );
!( $targetUser && $targetUser->isLoggedIn() ) && if ( $targetUserExists && $targetUser->isHidden() &&
!User::isIP( $targetUsername ) !$user->isAllowed( 'hideuser' )
) { ) {
// If the user exists, but is hidden, and the viewer cannot see hidden
// users, pretend like they don't exist at all. See T120883/T270453
$targetUserExists = false;
}
if ( !$targetUserExists && !User::isIP( $targetUsername ) ) {
// User does not exist // User does not exist
$notices[] = "<div class=\"mw-userpage-userdoesnotexist error\">\n" . $notices[] = "<div class=\"mw-userpage-userdoesnotexist error\">\n" .
$this->msg( 'userpage-userdoesnotexist', wfEscapeWikiText( $targetUsername ) ) . $this->msg( 'userpage-userdoesnotexist', wfEscapeWikiText( $targetUsername ) ) .