From 678cde7c9121617ebe9d526e5921ad89a9e54884 Mon Sep 17 00:00:00 2001
From: Happy-melon <happy-melon@users.mediawiki.org>
Date: Thu, 31 Mar 2011 23:09:02 +0000
Subject: [PATCH] Fix for r85005: the getUserPermissionsErrors() calls were
 each returning a badaccess error when the user didn't have their particular
 permission, even if they had the other one, exclude these errors since
 they're already covered by the $user->isAllowedAny() check above.  Also fix
 processForm() to check isAllowed('import') for transwiki; this wasn't being
 done which meant users with importupload but not import (an unlikely
 combination to be fair) could still spoof the form.

---
 includes/specials/SpecialImport.php | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/includes/specials/SpecialImport.php b/includes/specials/SpecialImport.php
index e337abbd0d..9ea9b07184 100644
--- a/includes/specials/SpecialImport.php
+++ b/includes/specials/SpecialImport.php
@@ -71,9 +71,16 @@ class SpecialImport extends SpecialPage {
 		# FIXME: Title::checkSpecialsAndNSPermissions() has a very wierd expectation of what
 		# getUserPermissionsErrors() might actually be used for, hence the 'ns-specialprotected'
 		$errors = wfMergeErrorArrays(
-			$this->getTitle()->getUserPermissionsErrors( 'import', $wgUser, true, array( 'ns-specialprotected' ) ),
-			$this->getTitle()->getUserPermissionsErrors( 'importupload', $wgUser, true, array( 'ns-specialprotected' ) )
+			$this->getTitle()->getUserPermissionsErrors(
+				'import', $wgUser, true,
+				array( 'ns-specialprotected', 'badaccess-group0', 'badaccess-groups' )
+			),
+			$this->getTitle()->getUserPermissionsErrors(
+				'importupload', $wgUser, true,
+				array( 'ns-specialprotected', 'badaccess-group0', 'badaccess-groups' )
+			)
 		);
+
 		if( $errors ){
 			$wgOut->showPermissionsErrorPage( $errors );
 			return;
@@ -107,6 +114,9 @@ class SpecialImport extends SpecialPage {
 				return $wgOut->permissionRequired( 'importupload' );
 			}
 		} elseif ( $sourceName == "interwiki" ) {
+			if( !$wgUser->isAllowed( 'import' ) ){
+				return $wgOut->permissionRequired( 'import' );
+			}
 			$this->interwiki = $wgRequest->getVal( 'interwiki' );
 			if ( !in_array( $this->interwiki, $wgImportSources ) ) {
 				$source = Status::newFatal( "import-invalid-interwiki" );
-- 
2.20.1