From: Brian Wolff <bawolff+wn@gmail.com>
Date: Fri, 23 Feb 2018 21:52:25 +0000 (+0000)
Subject: SECURITY: Fix revdel checks in LogPager
X-Git-Tag: 1.31.0-rc.0~446
X-Git-Url: http://git.cyclocoop.org/data/%27%20.%20mediabox_timestamp%28find_in_path%28%27javascript/%7B%24www_url%7Dadmin/compta/operations/%40%20%27info_etape_suivante_2%27%20=%3E%20%27You%20can%20move%20on%20to%20the%20next%20step.%27%2C%20%27info_exceptions_proxy%27%20=%3E%20%27Exceptions%20for%20the%20proxy%27%2C%20%27info_exportation_base%27%20=%3E%20%27export%20database%20to%20%40archive%40%27%2C-%27info_facilite_suivi_activite%27%20=%3E%20%27To%20simplify%20monitoring%20of%20the%20site/%27s%20editorial;-%20%20activities%2C%20SPIP%20can%20send%20rmail%20notifications%2C%20e.g.%20to%20an%20editors/%27.%28%24current%20%3E%202?a=commitdiff_plain;h=60aa9050066839a8981df87c47b920ca61d49590;p=lhc%2Fweb%2Fwiklou.git

SECURITY: Fix revdel checks in LogPager

Follow-up to ce881e02e8d6 where the check for performer
restrictions and action restrictions was reversed.

Bug: T188145
Change-Id: I85a44f925212929ac87fb7a7e494023258f2d148
---

diff --git a/includes/logging/LogPager.php b/includes/logging/LogPager.php
index dc9af5adda..d1acacf1b4 100644
--- a/includes/logging/LogPager.php
+++ b/includes/logging/LogPager.php
@@ -424,9 +424,9 @@ class LogPager extends ReverseChronologicalPager {
 		$this->actionRestrictionsEnforced = true;
 		$user = $this->getUser();
 		if ( !$user->isAllowed( 'deletedhistory' ) ) {
-			$this->mConds[] = $this->mDb->bitAnd( 'log_deleted', LogPage::DELETED_USER ) . ' = 0';
+			$this->mConds[] = $this->mDb->bitAnd( 'log_deleted', LogPage::DELETED_ACTION ) . ' = 0';
 		} elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
-			$this->mConds[] = $this->mDb->bitAnd( 'log_deleted', LogPage::SUPPRESSED_USER ) .
+			$this->mConds[] = $this->mDb->bitAnd( 'log_deleted', LogPage::SUPPRESSED_ACTION ) .
 				' != ' . LogPage::SUPPRESSED_USER;
 		}
 	}
@@ -442,9 +442,9 @@ class LogPager extends ReverseChronologicalPager {
 		$this->performerRestrictionsEnforced = true;
 		$user = $this->getUser();
 		if ( !$user->isAllowed( 'deletedhistory' ) ) {
-			$this->mConds[] = $this->mDb->bitAnd( 'log_deleted', LogPage::DELETED_ACTION ) . ' = 0';
+			$this->mConds[] = $this->mDb->bitAnd( 'log_deleted', LogPage::DELETED_USER ) . ' = 0';
 		} elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
-			$this->mConds[] = $this->mDb->bitAnd( 'log_deleted', LogPage::SUPPRESSED_ACTION ) .
+			$this->mConds[] = $this->mDb->bitAnd( 'log_deleted', LogPage::SUPPRESSED_USER ) .
 				' != ' . LogPage::SUPPRESSED_ACTION;
 		}
 	}