From: Roan Kattouw Date: Fri, 10 Dec 2010 11:33:51 +0000 (+0000) Subject: Followup r78117: information was still leaked through the caption of the Edit tab... X-Git-Tag: 1.31.0-rc.0~33401 X-Git-Url: http://git.cyclocoop.org/ecrire?a=commitdiff_plain;h=78d8e3a50ad2046c843bee9abfb06509d4d2786c;p=lhc%2Fweb%2Fwiklou.git Followup r78117: information was still leaked through the caption of the Edit tab (which is "Create" for nonexistent pages) for users who had edit but not read rights. This may seem like a ridiculous case, but since we automatically disallow edit if you can't read, it's easy to forget to disallow editing as well as reading. Fixed this by not showing the edit tab at all if the user can't read (which makes sense since it's also hidden if the user is explicitly forbidden from editing). --- diff --git a/includes/SkinTemplate.php b/includes/SkinTemplate.php index 7821a58a00..6ec0d2082c 100644 --- a/includes/SkinTemplate.php +++ b/includes/SkinTemplate.php @@ -754,7 +754,7 @@ class SkinTemplate extends Skin { ); wfProfileIn( __METHOD__ . '-edit' ); - if ( $this->mTitle->quickUserCan( 'edit' ) && ( $this->mTitle->exists() || $this->mTitle->quickUserCan( 'create' ) ) ) { + if ( $userCanRead && $this->mTitle->quickUserCan( 'edit' ) && ( $this->mTitle->exists() || $this->mTitle->quickUserCan( 'create' ) ) ) { $istalk = $this->mTitle->isTalkPage(); $istalkclass = $istalk?' istalk':''; $content_actions['edit'] = array( diff --git a/skins/Vector.php b/skins/Vector.php index 27fb9e858f..77acefe2c9 100644 --- a/skins/Vector.php +++ b/skins/Vector.php @@ -115,8 +115,8 @@ class SkinVector extends SkinTemplate { // Checks if user can... if ( - // edit the current page - $this->mTitle->quickUserCan( 'edit' ) && + // read and edit the current page + $userCanRead && $this->mTitle->quickUserCan( 'edit' ) && ( // if it exists $this->mTitle->exists() ||