From d8fa50e93d8a9d93534f38225308b664c1fef709 Mon Sep 17 00:00:00 2001 From: Andrew Garrett Date: Thu, 9 Dec 2010 04:54:00 +0000 Subject: [PATCH] Do not reveal page existence in colour of links in tabs when a user cannot read the page. This prevents leaking the existence (or not) of pages on wikis that are not readable anonymously --- RELEASE-NOTES | 2 ++ includes/SkinTemplate.php | 9 +++++---- skins/Vector.php | 12 +++++++----- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index bfed4d35e4..126110acaa 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -474,6 +474,8 @@ LocalSettings.php. The specific bugs are listed below in the general notes. * (bug 25512) Subcategory list should not include category prefix for members. * (bug 22753) Output from update.php is more clear when things changed, entries indicating nothing changed are now all prefixed by "..." +* Page existence is now not revealed (in the colour of the tabs) to users who cannot + read the page in question. === API changes in 1.17 === * (bug 22738) Allow filtering by action type on query=logevent. diff --git a/includes/SkinTemplate.php b/includes/SkinTemplate.php index afdd41cf3e..313225d568 100644 --- a/includes/SkinTemplate.php +++ b/includes/SkinTemplate.php @@ -728,6 +728,7 @@ class SkinTemplate extends Skin { $action = $wgRequest->getVal( 'action', 'view' ); $section = $wgRequest->getVal( 'section' ); $content_actions = array(); + $userCanRead = $this->mTitle->quickUserCan( 'read' ); $prevent_active_tabs = false; wfRunHooks( 'SkinTemplatePreventOtherActiveTabs', array( &$this, &$prevent_active_tabs ) ); @@ -741,7 +742,7 @@ class SkinTemplate extends Skin { $subjpage, $nskey, !$this->mTitle->isTalkPage() && !$prevent_active_tabs, - '', true + '', $userCanRead ); $content_actions['talk'] = $this->tabAction( @@ -749,7 +750,7 @@ class SkinTemplate extends Skin { 'talk', $this->mTitle->isTalkPage() && !$prevent_active_tabs, '', - true + $userCanRead ); wfProfileIn( __METHOD__ . '-edit' ); @@ -774,7 +775,7 @@ class SkinTemplate extends Skin { ); } } - } elseif ( $this->mTitle->hasSourceText() ) { + } elseif ( $this->mTitle->hasSourceText() && $userCanRead ) { $content_actions['viewsource'] = array( 'class' => ($action == 'edit') ? 'selected' : false, 'text' => wfMsg( 'viewsource' ), @@ -784,7 +785,7 @@ class SkinTemplate extends Skin { wfProfileOut( __METHOD__ . '-edit' ); wfProfileIn( __METHOD__ . '-live' ); - if ( $this->mTitle->exists() ) { + if ( $this->mTitle->exists() && $userCanRead ) { $content_actions['history'] = array( 'class' => ($action == 'history') ? 'selected' : false, diff --git a/skins/Vector.php b/skins/Vector.php index 1f3c56a788..6ee6897e8e 100644 --- a/skins/Vector.php +++ b/skins/Vector.php @@ -73,6 +73,8 @@ class SkinVector extends SkinTemplate { $action = $wgRequest->getVal( 'action', 'view' ); $section = $wgRequest->getVal( 'section' ); + $userCanRead = $this->mTitle->quickUserCan( 'read' ); + // Checks if page is some kind of content if( $this->iscontent ) { // Gets page objects for the related namespaces @@ -93,16 +95,16 @@ class SkinVector extends SkinTemplate { // Adds namespace links $links['namespaces'][$subjectId] = $this->tabAction( - $subjectPage, 'nstab-' . $subjectId, !$isTalk, '', true + $subjectPage, 'nstab-' . $subjectId, !$isTalk, '', $userCanRead ); $links['namespaces'][$subjectId]['context'] = 'subject'; $links['namespaces'][$talkId] = $this->tabAction( - $talkPage, 'talk', $isTalk, '', true + $talkPage, 'talk', $isTalk, '', $userCanRead ); $links['namespaces'][$talkId]['context'] = 'talk'; // Adds view view link - if ( $this->mTitle->exists() ) { + if ( $this->mTitle->exists() && $userCanRead ) { $links['views']['view'] = $this->tabAction( $isTalk ? $talkPage : $subjectPage, 'vector-view-view', ( $action == 'view' ), '', true @@ -155,7 +157,7 @@ class SkinVector extends SkinTemplate { } } // Checks if the page has some kind of viewable content - } elseif ( $this->mTitle->hasSourceText() ) { + } elseif ( $this->mTitle->hasSourceText() && $userCanRead ) { // Adds view source view link $links['views']['viewsource'] = array( 'class' => ( $action == 'edit' ) ? 'selected' : false, @@ -169,7 +171,7 @@ class SkinVector extends SkinTemplate { wfProfileIn( __METHOD__ . '-live' ); // Checks if the page exists - if ( $this->mTitle->exists() ) { + if ( $this->mTitle->exists() && $userCanRead ) { // Adds history view link $links['views']['history'] = array( 'class' => 'collapsible ' . ( ( $action == 'history' ) ? 'selected' : false ), -- 2.20.1