security fix (read-protection): use anon user privileges when checking what should...

author Daniel Kinzler <daniel@users.mediawiki.org>

Wed, 19 Sep 2007 20:04:48 +0000 (20:04 +0000)

committer Daniel Kinzler <daniel@users.mediawiki.org>

Wed, 19 Sep 2007 20:04:48 +0000 (20:04 +0000)
author Daniel Kinzler <daniel@users.mediawiki.org>
Wed, 19 Sep 2007 20:04:48 +0000 (20:04 +0000)
committer Daniel Kinzler <daniel@users.mediawiki.org>
Wed, 19 Sep 2007 20:04:48 +0000 (20:04 +0000)
diff --git a/includes/SpecialRecentchanges.php b/includes/SpecialRecentchanges.php

index 7565481..96425eb 100644 (file)
--- a/includes/SpecialRecentchanges.php
+++ b/includes/SpecialRecentchanges.php
@@ -622,7 +622,13 @@ function rcFormatDiffRow( $title, $oldid, $newid, $timestamp, $comment ) {
         $skin = $wgUser->getSkin();
         $completeText = '<p>' . $skin->formatComment( $comment ) . "</p>\n";
  
-       if( $title->getNamespace() >= 0 && $title->userCan( 'read' ) ) {
+       //NOTE: Check permissions for anonymous users, not current user.
+       //      No "privileged" version should end up in the cache.
+       //      Most feed readers will not log in anway.
+       $anon = new User();
+       $accErrors = $title->getUserPermissionsErrors( 'read', $anon, true );
+
+       if( $title->getNamespace() >= 0 && !$accErrors ) {
                 if( $oldid ) {
                         wfProfileIn( "$fname-dodiff" );
author	Daniel Kinzler <daniel@users.mediawiki.org>
	Wed, 19 Sep 2007 20:04:48 +0000 (20:04 +0000)
committer	Daniel Kinzler <daniel@users.mediawiki.org>
	Wed, 19 Sep 2007 20:04:48 +0000 (20:04 +0000)