From c3e096c6e5b09d4fa85385f8b1234bf01e544d70 Mon Sep 17 00:00:00 2001 From: Happy-melon Date: Tue, 26 Jul 2011 20:54:41 +0000 Subject: [PATCH] (bug 15641) prevent blocked administrators from accessing deleted revisions. --- includes/LogEventsList.php | 10 +++---- includes/Skin.php | 2 +- includes/SkinTemplate.php | 2 +- includes/api/ApiQueryDeletedrevs.php | 2 +- includes/api/ApiQueryFilearchive.php | 2 +- includes/diff/DifferenceEngine.php | 2 +- includes/specials/SpecialContributions.php | 4 +-- .../specials/SpecialDeletedContributions.php | 4 +++ includes/specials/SpecialRevisiondelete.php | 10 ++++--- includes/specials/SpecialUndelete.php | 5 ++++ includes/specials/SpecialUpload.php | 28 +++++++++---------- 11 files changed, 40 insertions(+), 31 deletions(-) diff --git a/includes/LogEventsList.php b/includes/LogEventsList.php index 744a60cecf..a18d84923e 100644 --- a/includes/LogEventsList.php +++ b/includes/LogEventsList.php @@ -543,7 +543,7 @@ class LogEventsList { } $del = ''; // Don't show useless link to people who cannot hide revisions - if( $wgUser->isAllowed( 'deletedhistory' ) ) { + if( $wgUser->isAllowed( 'deletedhistory' ) && !$wgUser->isBlocked() ) { if( $row->log_deleted || $wgUser->isAllowed( 'deleterevision' ) ) { $canHide = $wgUser->isAllowed( 'deleterevision' ); // If event was hidden from sysops @@ -891,9 +891,9 @@ class LogPager extends ReverseChronologicalPager { global $wgUser; $this->mConds['log_user'] = $userid; // Paranoia: avoid brute force searches (bug 17342) - if( !$wgUser->isAllowed( 'deletedhistory' ) ) { + if( !$wgUser->isAllowed( 'deletedhistory' ) || $wgUser->isBlocked() ) { $this->mConds[] = $this->mDb->bitAnd('log_deleted', LogPage::DELETED_USER) . ' = 0'; - } elseif( !$wgUser->isAllowed( 'suppressrevision' ) ) { + } elseif( !$wgUser->isAllowed( 'suppressrevision' ) || $wgUser->isBlocked() ) { $this->mConds[] = $this->mDb->bitAnd('log_deleted', LogPage::SUPPRESSED_USER) . ' != ' . LogPage::SUPPRESSED_USER; } @@ -940,9 +940,9 @@ class LogPager extends ReverseChronologicalPager { $this->mConds['log_title'] = $title->getDBkey(); } // Paranoia: avoid brute force searches (bug 17342) - if( !$wgUser->isAllowed( 'deletedhistory' ) ) { + if( !$wgUser->isAllowed( 'deletedhistory' ) || $wgUser->isBlocked() ) { $this->mConds[] = $db->bitAnd('log_deleted', LogPage::DELETED_ACTION) . ' = 0'; - } elseif( !$wgUser->isAllowed( 'suppressrevision' ) ) { + } elseif( !$wgUser->isAllowed( 'suppressrevision' ) || $wgUser->isBlocked() ) { $this->mConds[] = $db->bitAnd('log_deleted', LogPage::SUPPRESSED_ACTION) . ' != ' . LogPage::SUPPRESSED_ACTION; } diff --git a/includes/Skin.php b/includes/Skin.php index d9973c2b4a..c8d057af33 100644 --- a/includes/Skin.php +++ b/includes/Skin.php @@ -631,7 +631,7 @@ abstract class Skin extends ContextSource { function getUndeleteLink() { $action = $this->getRequest()->getVal( 'action', 'view' ); - if ( $this->getUser()->isAllowed( 'deletedhistory' ) && + if ( $this->getUser()->isAllowed( 'deletedhistory' ) && !$this->getUser()->isBlocked() && ( $this->getTitle()->getArticleId() == 0 || $action == 'history' ) ) { $includeSuppressed = $this->getUser()->isAllowed( 'suppressrevision' ); diff --git a/includes/SkinTemplate.php b/includes/SkinTemplate.php index 4cef194674..96748909b1 100644 --- a/includes/SkinTemplate.php +++ b/includes/SkinTemplate.php @@ -924,7 +924,7 @@ class SkinTemplate extends Skin { } } else { // article doesn't exist or is deleted - if ( $wgUser->isAllowed( 'deletedhistory' ) ) { + if ( $wgUser->isAllowed( 'deletedhistory' ) && !$wgUser->isBlocked() ) { $includeSuppressed = $wgUser->isAllowed( 'suppressrevision' ); $n = $title->isDeleted( $includeSuppressed ); if( $n ) { diff --git a/includes/api/ApiQueryDeletedrevs.php b/includes/api/ApiQueryDeletedrevs.php index d8108022a5..8116db14bc 100644 --- a/includes/api/ApiQueryDeletedrevs.php +++ b/includes/api/ApiQueryDeletedrevs.php @@ -43,7 +43,7 @@ class ApiQueryDeletedrevs extends ApiQueryBase { public function execute() { global $wgUser; // Before doing anything at all, let's check permissions - if ( !$wgUser->isAllowed( 'deletedhistory' ) ) { + if ( !$wgUser->isAllowed( 'deletedhistory' ) || $wgUser->isBlocked() ) { $this->dieUsage( 'You don\'t have permission to view deleted revision information', 'permissiondenied' ); } diff --git a/includes/api/ApiQueryFilearchive.php b/includes/api/ApiQueryFilearchive.php index e746a6c499..39b87c4372 100644 --- a/includes/api/ApiQueryFilearchive.php +++ b/includes/api/ApiQueryFilearchive.php @@ -45,7 +45,7 @@ class ApiQueryFilearchive extends ApiQueryBase { public function execute() { global $wgUser; // Before doing anything at all, let's check permissions - if ( !$wgUser->isAllowed( 'deletedhistory' ) ) { + if ( !$wgUser->isAllowed( 'deletedhistory' ) || $wgUser->isBlocked() ) { $this->dieUsage( 'You don\'t have permission to view deleted file information', 'permissiondenied' ); } diff --git a/includes/diff/DifferenceEngine.php b/includes/diff/DifferenceEngine.php index 034f0da6e9..5f1a962b4e 100644 --- a/includes/diff/DifferenceEngine.php +++ b/includes/diff/DifferenceEngine.php @@ -147,7 +147,7 @@ class DifferenceEngine { */ function deletedLink( $id ) { global $wgUser; - if ( $wgUser->isAllowed( 'deletedhistory' ) ) { + if ( $wgUser->isAllowed( 'deletedhistory' ) && !$wgUser->isBlocked() ) { $dbr = wfGetDB( DB_SLAVE ); $row = $dbr->selectRow('archive', '*', array( 'ar_rev_id' => $id ), diff --git a/includes/specials/SpecialContributions.php b/includes/specials/SpecialContributions.php index 7c7089ca06..7158faceb3 100644 --- a/includes/specials/SpecialContributions.php +++ b/includes/specials/SpecialContributions.php @@ -317,7 +317,7 @@ class SpecialContributions extends SpecialPage { ); # Add link to deleted user contributions for priviledged users - if( $subject->isAllowed( 'deletedhistory' ) ) { + if( $subject->isAllowed( 'deletedhistory' ) && !$subject->isBlocked() ) { $tools[] = $sk->linkKnown( SpecialPage::getTitleFor( 'DeletedContributions', $username ), wfMsgHtml( 'sp-contributions-deleted' ) @@ -486,7 +486,7 @@ class ContribsPager extends ReverseChronologicalPager { $conds = array_merge( $userCond, $this->getNamespaceCond() ); // Paranoia: avoid brute force searches (bug 17342) - if( !$wgUser->isAllowed( 'deletedhistory' ) ) { + if( !$wgUser->isAllowed( 'deletedhistory' ) || $wgUser->isBlocked() ) { $conds[] = $this->mDb->bitAnd('rev_deleted',Revision::DELETED_USER) . ' = 0'; } elseif( !$wgUser->isAllowed( 'suppressrevision' ) ) { $conds[] = $this->mDb->bitAnd('rev_deleted',Revision::SUPPRESSED_USER) . diff --git a/includes/specials/SpecialDeletedContributions.php b/includes/specials/SpecialDeletedContributions.php index 32ed62b74f..77c7e84ffb 100644 --- a/includes/specials/SpecialDeletedContributions.php +++ b/includes/specials/SpecialDeletedContributions.php @@ -281,6 +281,10 @@ class DeletedContributionsPage extends SpecialPage { return; } + if( $wgUser->isBlocked() ){ + throw new UserBlockedError( $wgUser->getBlock() ); + } + global $wgOut, $wgRequest; $wgOut->setPageTitle( wfMsgExt( 'deletedcontributions-title', array( 'parsemag' ) ) ); diff --git a/includes/specials/SpecialRevisiondelete.php b/includes/specials/SpecialRevisiondelete.php index 3c64325341..90a203045b 100644 --- a/includes/specials/SpecialRevisiondelete.php +++ b/includes/specials/SpecialRevisiondelete.php @@ -113,13 +113,15 @@ class SpecialRevisionDelete extends UnlistedSpecialPage { public function execute( $par ) { $output = $this->getOutput(); $user = $this->getUser(); + if( !$user->isAllowed( 'deletedhistory' ) ) { - $output->permissionRequired( 'deletedhistory' ); - return; + throw new PermissionsError( 'deletedhistory' ); } elseif( wfReadOnly() ) { - $output->readOnlyPage(); - return; + throw new ReadOnlyError; + } elseif( $user->isBlocked() ) { + throw new UserBlockedError( $user->getBlock() ); } + $this->mIsAllowed = $user->isAllowed('deleterevision'); // for changes $this->setHeaders(); $this->outputHeader(); diff --git a/includes/specials/SpecialUndelete.php b/includes/specials/SpecialUndelete.php index e2bd40e45d..fca840d861 100644 --- a/includes/specials/SpecialUndelete.php +++ b/includes/specials/SpecialUndelete.php @@ -643,6 +643,11 @@ class SpecialUndelete extends SpecialPage { $this->displayRestrictionError(); return; } + + if ( $this->getUser()->isBlocked() ) { + throw new UserBlockedError( $this->getUser()->getBlock() ); + } + $this->outputHeader(); $this->loadRequest(); diff --git a/includes/specials/SpecialUpload.php b/includes/specials/SpecialUpload.php index 60894a416a..eec28c200e 100644 --- a/includes/specials/SpecialUpload.php +++ b/includes/specials/SpecialUpload.php @@ -313,21 +313,19 @@ class SpecialUpload extends SpecialPage { $title = Title::makeTitleSafe( NS_FILE, $this->mDesiredDestName ); // Show a subtitle link to deleted revisions (to sysops et al only) - if( $title instanceof Title ) { - if ( $wgUser->isAllowed( 'deletedhistory' ) ) { - $canViewSuppress = $wgUser->isAllowed( 'suppressrevision' ); - $count = $title->isDeleted( $canViewSuppress ); - if ( $count > 0 ) { - $link = wfMsgExt( - $wgUser->isAllowed( 'delete' ) ? 'thisisdeleted' : 'viewdeleted', - array( 'parse', 'replaceafter' ), - $this->getSkin()->linkKnown( - SpecialPage::getTitleFor( 'Undelete', $title->getPrefixedText() ), - wfMsgExt( 'restorelink', array( 'parsemag', 'escape' ), $count ) - ) - ); - $wgOut->addHTML( "
{$link}
" ); - } + if( $title instanceof Title && $wgUser->isAllowed( 'deletedhistory' ) && !$wgUser->isBlocked() ) { + $canViewSuppress = $wgUser->isAllowed( 'suppressrevision' ); + $count = $title->isDeleted( $canViewSuppress ); + if ( $count > 0 ) { + $link = wfMsgExt( + $wgUser->isAllowed( 'delete' ) ? 'thisisdeleted' : 'viewdeleted', + array( 'parse', 'replaceafter' ), + $this->getSkin()->linkKnown( + SpecialPage::getTitleFor( 'Undelete', $title->getPrefixedText() ), + wfMsgExt( 'restorelink', array( 'parsemag', 'escape' ), $count ) + ) + ); + $wgOut->addHTML( "
{$link}
" ); } } } -- 2.20.1