From: rxy <wikitech.rxy@rxy.jp>
Date: Tue, 13 Aug 2019 09:30:38 +0000 (+0900)
Subject: SECURITY: Add permission check for suppressed account
X-Git-Tag: 1.34.0-rc.0~707
X-Git-Url: http://git.cyclocoop.org/%28%5B%5E/config/index.php?a=commitdiff_plain;h=4356572546b2b4e8eefda9bf10943ba1b12526b9;p=lhc%2Fweb%2Fwiklou.git

SECURITY: Add permission check for suppressed account

Bug: T230402
Change-Id: I6a13859be81e5c746bdf0993eb5416fecdac2306
---

diff --git a/includes/specials/SpecialRedirect.php b/includes/specials/SpecialRedirect.php
index c1409ffd6f..50867dd879 100644
--- a/includes/specials/SpecialRedirect.php
+++ b/includes/specials/SpecialRedirect.php
@@ -83,6 +83,11 @@ class SpecialRedirect extends FormSpecialPage {
 			// Message: redirect-not-exists
 			return Status::newFatal( $this->getMessagePrefix() . '-not-exists' );
 		}
+		if ( $user->isHidden() && !MediaWikiServices::getInstance()->getPermissionManager()
+			->userHasRight( $this->getUser(), 'hideuser' )
+		) {
+			throw new PermissionsError( null, [ 'badaccess-group0' ] );
+		}
 		$userpage = Title::makeTitle( NS_USER, $username );
 
 		return Status::newGood( $userpage->getFullURL( '', false, PROTO_CURRENT ) );