From ef1d06af4e3a33d007718a9ecb4b81d59ad0b549 Mon Sep 17 00:00:00 2001
From: Daniel Kinzler <daniel@users.mediawiki.org>
Date: Wed, 19 Sep 2007 20:04:48 +0000
Subject: [PATCH] security fix (read-protection): use anon user privileges when
 checking what should be shown in the RC RSS feed. Previously, a 'privileged'
 version might have been cached and served to everyone.

---
 includes/SpecialRecentchanges.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/includes/SpecialRecentchanges.php b/includes/SpecialRecentchanges.php
index 7565481b19..96425eba05 100644
--- a/includes/SpecialRecentchanges.php
+++ b/includes/SpecialRecentchanges.php
@@ -622,7 +622,13 @@ function rcFormatDiffRow( $title, $oldid, $newid, $timestamp, $comment ) {
 	$skin = $wgUser->getSkin();
 	$completeText = '<p>' . $skin->formatComment( $comment ) . "</p>\n";
 
-	if( $title->getNamespace() >= 0 && $title->userCan( 'read' ) ) {
+	//NOTE: Check permissions for anonymous users, not current user.
+	//      No "privileged" version should end up in the cache.
+	//      Most feed readers will not log in anway.
+	$anon = new User();
+	$accErrors = $title->getUserPermissionsErrors( 'read', $anon, true );
+
+	if( $title->getNamespace() >= 0 && !$accErrors ) {
 		if( $oldid ) {
 			wfProfileIn( "$fname-dodiff" );
 
-- 
2.20.1