From: rxy Date: Sun, 28 Apr 2019 20:14:18 +0000 (+0900) Subject: SECURITY: Add permission check for user is permitted to view the log type X-Git-Tag: 1.34.0-rc.0~1501^2 X-Git-Url: http://git.cyclocoop.org/%7B%24admin_url%7Dcompta/comptes/journal.php?a=commitdiff_plain;h=5de4402b5909f40fccb1fe6c1d1c9317da345c09;p=lhc%2Fweb%2Fwiklou.git SECURITY: Add permission check for user is permitted to view the log type Bug: T222038 Change-Id: I92ec2adfd9c514b3be1c07b7d22b9f9722d24a82 --- diff --git a/includes/logging/LogEventsList.php b/includes/logging/LogEventsList.php index 3fd52af01b..e66bd69cd5 100644 --- a/includes/logging/LogEventsList.php +++ b/includes/logging/LogEventsList.php @@ -531,7 +531,7 @@ class LogEventsList extends ContextSource { /** * Determine if the current user is allowed to view a particular - * field of this log row, if it's marked as deleted. + * field of this log row, if it's marked as deleted and/or restricted log type. * * @param stdClass $row * @param int $field @@ -539,7 +539,8 @@ class LogEventsList extends ContextSource { * @return bool */ public static function userCan( $row, $field, User $user = null ) { - return self::userCanBitfield( $row->log_deleted, $field, $user ); + return self::userCanBitfield( $row->log_deleted, $field, $user ) && + self::userCanViewLogType( $row->log_type, $user ); } /** @@ -569,6 +570,26 @@ class LogEventsList extends ContextSource { return true; } + /** + * Determine if the current user is allowed to view a particular + * field of this log row, if it's marked as restricted log type. + * + * @param stdClass $type + * @param User|null $user User to check, or null to use $wgUser + * @return bool + */ + public static function userCanViewLogType( $type, User $user = null ) { + if ( $user === null ) { + global $wgUser; + $user = $wgUser; + } + $logRestrictions = MediaWikiServices::getInstance()->getMainConfig()->get( 'LogRestrictions' ); + if ( isset( $logRestrictions[$type] ) && !$user->isAllowed( $logRestrictions[$type] ) ) { + return false; + } + return true; + } + /** * @param stdClass $row * @param int $field One of DELETED_* bitfield constants