From: Yuri Astrakhan Date: Sat, 14 Jul 2007 19:04:31 +0000 (+0000) Subject: API: Big change: Removed all userCanRead() checks per IRC discussion. Only rvprop... X-Git-Tag: 1.31.0-rc.0~52099 X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/banques/ajouter.php?a=commitdiff_plain;h=8ca133afff97fd082b9c157d7aa7bf319ff42c25;p=lhc%2Fweb%2Fwiklou.git API: Big change: Removed all userCanRead() checks per IRC discussion. Only rvprop=content will now check that the page can be read. --- diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index a03b50317f..5313c9e133 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -96,8 +96,8 @@ class ApiMain extends ApiBase { // Impose module restrictions. // If the current user cannot read, - // Remove all modules other than login & help - global $wgUser, $wgWhitelistRead; + // Remove all modules other than login + global $wgUser; if (!$wgUser->isAllowed('read')) { self::$Modules = array( 'login' => self::$Modules['login'], diff --git a/includes/api/ApiPageSet.php b/includes/api/ApiPageSet.php index bb34149720..1fbb29f250 100644 --- a/includes/api/ApiPageSet.php +++ b/includes/api/ApiPageSet.php @@ -297,22 +297,18 @@ class ApiPageSet extends ApiQueryBase { // Store Title object in various data structures $title = Title :: makeTitle($row->page_namespace, $row->page_title); - // skip any pages that user has no rights to read - if ($title->userCanRead()) { - - $pageId = intval($row->page_id); - $this->mAllPages[$row->page_namespace][$row->page_title] = $pageId; - $this->mTitles[] = $title; - - if ($this->mResolveRedirects && $row->page_is_redirect == '1') { - $this->mPendingRedirectIDs[$pageId] = $title; - } else { - $this->mGoodTitles[$pageId] = $title; - } - - foreach ($this->mRequestedPageFields as $fieldName => & $fieldValues) - $fieldValues[$pageId] = $row-> $fieldName; + $pageId = intval($row->page_id); + $this->mAllPages[$row->page_namespace][$row->page_title] = $pageId; + $this->mTitles[] = $title; + + if ($this->mResolveRedirects && $row->page_is_redirect == '1') { + $this->mPendingRedirectIDs[$pageId] = $title; + } else { + $this->mGoodTitles[$pageId] = $title; } + + foreach ($this->mRequestedPageFields as $fieldName => & $fieldValues) + $fieldValues[$pageId] = $row-> $fieldName; } public function finishPageSetGeneration() { @@ -595,8 +591,6 @@ class ApiPageSet extends ApiQueryBase { // Validation if ($titleObj->getNamespace() < 0) $this->dieUsage("No support for special page $titleString has been implemented", 'unsupportednamespace'); - if (!$titleObj->userCanRead()) - $this->dieUsage("No read permission for $titleString", 'titleaccessdenied'); $linkBatch->addObj($titleObj); } diff --git a/includes/api/ApiQuery.php b/includes/api/ApiQuery.php index 9609861bab..bf513f3346 100644 --- a/includes/api/ApiQuery.php +++ b/includes/api/ApiQuery.php @@ -293,7 +293,7 @@ class ApiQuery extends ApiBase { // Report any missing titles foreach ($pageSet->getMissingTitles() as $fakeId => $title) { $vals = array(); - ApiQueryBase :: addTitleInfo($vals, $title, true); + ApiQueryBase :: addTitleInfo($vals, $title); $vals['missing'] = ''; $pages[$fakeId] = $vals; } @@ -310,7 +310,7 @@ class ApiQuery extends ApiBase { foreach ($pageSet->getGoodTitles() as $pageid => $title) { $vals = array(); $vals['pageid'] = $pageid; - ApiQueryBase :: addTitleInfo($vals, $title, true); + ApiQueryBase :: addTitleInfo($vals, $title); $pages[$pageid] = $vals; } diff --git a/includes/api/ApiQueryAllLinks.php b/includes/api/ApiQueryAllLinks.php index e802108d45..a9a27ff410 100644 --- a/includes/api/ApiQueryAllLinks.php +++ b/includes/api/ApiQueryAllLinks.php @@ -101,17 +101,15 @@ class ApiQueryAllLinks extends ApiQueryGeneratorBase { } if (is_null($resultPageSet)) { - $title = Title :: makeTitle($row->pl_namespace, $row->pl_title); - if ($title->userCanRead()) { - $vals = array(); - if ($fld_ids) - $vals['fromid'] = intval($row->pl_from); - if ($fld_title) { - $vals['ns'] = intval($title->getNamespace()); - $vals['title'] = $title->getPrefixedText(); - } - $data[] = $vals; + $vals = array(); + if ($fld_ids) + $vals['fromid'] = intval($row->pl_from); + if ($fld_title) { + $title = Title :: makeTitle($row->pl_namespace, $row->pl_title); + $vals['ns'] = intval($title->getNamespace()); + $vals['title'] = $title->getPrefixedText(); } + $data[] = $vals; } else { $pageids[] = $row->pl_from; } diff --git a/includes/api/ApiQueryAllpages.php b/includes/api/ApiQueryAllpages.php index e858dec380..3ec357defa 100644 --- a/includes/api/ApiQueryAllpages.php +++ b/includes/api/ApiQueryAllpages.php @@ -94,12 +94,10 @@ class ApiQueryAllpages extends ApiQueryGeneratorBase { if (is_null($resultPageSet)) { $title = Title :: makeTitle($row->page_namespace, $row->page_title); - if ($title->userCanRead()) { - $data[] = array( - 'pageid' => intval($row->page_id), - 'ns' => intval($title->getNamespace()), - 'title' => $title->getPrefixedText()); - } + $data[] = array( + 'pageid' => intval($row->page_id), + 'ns' => intval($title->getNamespace()), + 'title' => $title->getPrefixedText()); } else { $resultPageSet->processDbRow($row); } diff --git a/includes/api/ApiQueryBacklinks.php b/includes/api/ApiQueryBacklinks.php index a9e059fa13..b4f4380dfe 100644 --- a/includes/api/ApiQueryBacklinks.php +++ b/includes/api/ApiQueryBacklinks.php @@ -186,13 +186,9 @@ class ApiQueryBacklinks extends ApiQueryGeneratorBase { private function extractRowInfo($row) { - $title = Title :: makeTitle($row->page_namespace, $row->page_title); - if (!$title->userCanRead()) - return false; - $vals = array(); $vals['pageid'] = intval($row->page_id); - ApiQueryBase :: addTitleInfo($vals, $title); + ApiQueryBase :: addTitleInfo($vals, Title :: makeTitle($row->page_namespace, $row->page_title)); return $vals; } @@ -239,7 +235,7 @@ class ApiQueryBacklinks extends ApiQueryGeneratorBase { $rootNs = intval($continueList[0]); if (($rootNs !== 0 || $continueList[0] === '0') && !empty ($continueList[1])) { $this->rootTitle = Title :: makeTitleSafe($rootNs, $continueList[1]); - if ($this->rootTitle && $this->rootTitle->userCanRead()) { + if ($this->rootTitle) { $step = intval($continueList[2]); if ($step === 1 || $step === 2) { @@ -287,7 +283,7 @@ class ApiQueryBacklinks extends ApiQueryGeneratorBase { $rootNs = intval($continueList[0]); if (($rootNs !== 0 || $continueList[0] === '0') && !empty ($continueList[1])) { $this->rootTitle = Title :: makeTitleSafe($rootNs, $continueList[1]); - if ($this->rootTitle && $this->rootTitle->userCanRead()) { + if ($this->rootTitle) { $contID = intval($continueList[2]); if ($contID !== 0) { diff --git a/includes/api/ApiQueryBase.php b/includes/api/ApiQueryBase.php index 41c406ad02..b327fa42ca 100644 --- a/includes/api/ApiQueryBase.php +++ b/includes/api/ApiQueryBase.php @@ -128,13 +128,9 @@ abstract class ApiQueryBase extends ApiBase { return $res; } - public static function addTitleInfo(&$arr, $title, $includeRestricted=false, $prefix='') { - if ($includeRestricted || $title->userCanRead()) { - $arr[$prefix . 'ns'] = intval($title->getNamespace()); - $arr[$prefix . 'title'] = $title->getPrefixedText(); - } - if (!$title->userCanRead()) - $arr[$prefix . 'inaccessible'] = ""; + public static function addTitleInfo(&$arr, $title, $prefix='') { + $arr[$prefix . 'ns'] = intval($title->getNamespace()); + $arr[$prefix . 'title'] = $title->getPrefixedText(); } /** diff --git a/includes/api/ApiQueryCategories.php b/includes/api/ApiQueryCategories.php index 2da8b20d67..2283a8b978 100644 --- a/includes/api/ApiQueryCategories.php +++ b/includes/api/ApiQueryCategories.php @@ -95,11 +95,9 @@ class ApiQueryCategories extends ApiQueryGeneratorBase { } $title = Title :: makeTitle(NS_CATEGORY, $row->cl_to); - // do not check userCanRead() -- page content is already accessible, - // and category is listed there. $vals = array(); - ApiQueryBase :: addTitleInfo($vals, $title, true); + ApiQueryBase :: addTitleInfo($vals, $title); if ($fld_sortkey) $vals['sortkey'] = $row->cl_sortkey; @@ -114,9 +112,7 @@ class ApiQueryCategories extends ApiQueryGeneratorBase { $titles = array(); while ($row = $db->fetchObject($res)) { - $title = Title :: makeTitle(NS_CATEGORY, $row->cl_to); - if($title->userCanRead()) - $titles[] = $title; + $titles[] = Title :: makeTitle(NS_CATEGORY, $row->cl_to); } $resultPageSet->populateFromTitles($titles); } diff --git a/includes/api/ApiQueryCategoryMembers.php b/includes/api/ApiQueryCategoryMembers.php index 175aabc8bf..cbb1ddf706 100644 --- a/includes/api/ApiQueryCategoryMembers.php +++ b/includes/api/ApiQueryCategoryMembers.php @@ -100,19 +100,17 @@ class ApiQueryCategoryMembers extends ApiQueryGeneratorBase { $lastSortKey = $row->cl_sortkey; // detect duplicate sortkeys if (is_null($resultPageSet)) { - $title = Title :: makeTitle($row->page_namespace, $row->page_title); - if ($title->userCanRead()) { - $vals = array(); - if ($fld_ids) - $vals['pageid'] = intval($row->page_id); - if ($fld_title) { - $vals['ns'] = intval($title->getNamespace()); - $vals['title'] = $title->getPrefixedText(); - } - if ($fld_sortkey) - $vals['sortkey'] = $row->cl_sortkey; - $data[] = $vals; + $vals = array(); + if ($fld_ids) + $vals['pageid'] = intval($row->page_id); + if ($fld_title) { + $title = Title :: makeTitle($row->page_namespace, $row->page_title); + $vals['ns'] = intval($title->getNamespace()); + $vals['title'] = $title->getPrefixedText(); } + if ($fld_sortkey) + $vals['sortkey'] = $row->cl_sortkey; + $data[] = $vals; } else { $resultPageSet->processDbRow($row); } diff --git a/includes/api/ApiQueryExtLinksUsage.php b/includes/api/ApiQueryExtLinksUsage.php index 5ce92221c4..0b7c474758 100644 --- a/includes/api/ApiQueryExtLinksUsage.php +++ b/includes/api/ApiQueryExtLinksUsage.php @@ -110,19 +110,17 @@ class ApiQueryExtLinksUsage extends ApiQueryGeneratorBase { } if (is_null($resultPageSet)) { - $title = Title :: makeTitle($row->page_namespace, $row->page_title); - if ($title->userCanRead()) { - $vals = array(); - if ($fld_ids) - $vals['pageid'] = intval($row->page_id); - if ($fld_title) { - $vals['ns'] = intval($title->getNamespace()); - $vals['title'] = $title->getPrefixedText(); - } - if ($fld_url) - $vals['url'] = $row->el_to; - $data[] = $vals; + $vals = array(); + if ($fld_ids) + $vals['pageid'] = intval($row->page_id); + if ($fld_title) { + $title = Title :: makeTitle($row->page_namespace, $row->page_title); + $vals['ns'] = intval($title->getNamespace()); + $vals['title'] = $title->getPrefixedText(); } + if ($fld_url) + $vals['url'] = $row->el_to; + $data[] = $vals; } else { $resultPageSet->processDbRow($row); } @@ -197,7 +195,7 @@ class ApiQueryExtLinksUsage extends ApiQueryGeneratorBase { } public function getVersion() { - return __CLASS__ . ': $Id:$'; + return __CLASS__ . ': $Id$'; } } ?> diff --git a/includes/api/ApiQueryImages.php b/includes/api/ApiQueryImages.php index 57394673c1..10a5885834 100644 --- a/includes/api/ApiQueryImages.php +++ b/includes/api/ApiQueryImages.php @@ -77,12 +77,8 @@ class ApiQueryImages extends ApiQueryGeneratorBase { $lastId = $row->il_from; } - $title = Title :: makeTitle(NS_IMAGE, $row->il_to); - // do not check userCanRead() -- page content is already accessible, - // and images are listed there. - $vals = array(); - ApiQueryBase :: addTitleInfo($vals, $title, true); + ApiQueryBase :: addTitleInfo($vals, Title :: makeTitle(NS_IMAGE, $row->il_to)); $data[] = $vals; } diff --git a/includes/api/ApiQueryLinks.php b/includes/api/ApiQueryLinks.php index a8bdebdf1a..e3a402769b 100644 --- a/includes/api/ApiQueryLinks.php +++ b/includes/api/ApiQueryLinks.php @@ -102,9 +102,8 @@ class ApiQueryLinks extends ApiQueryGeneratorBase { $lastId = $row->pl_from; } - $title = Title :: makeTitle($row->pl_namespace, $row->pl_title); $vals = array(); - ApiQueryBase :: addTitleInfo($vals, $title, true); + ApiQueryBase :: addTitleInfo($vals, Title :: makeTitle($row->pl_namespace, $row->pl_title)); $data[] = $vals; } @@ -116,9 +115,7 @@ class ApiQueryLinks extends ApiQueryGeneratorBase { $titles = array(); while ($row = $db->fetchObject($res)) { - $title = Title :: makeTitle($row->pl_namespace, $row->pl_title); - if($title->userCanRead()) - $titles[] = $title; + $titles[] = Title :: makeTitle($row->pl_namespace, $row->pl_title); } $resultPageSet->populateFromTitles($titles); } diff --git a/includes/api/ApiQueryLogEvents.php b/includes/api/ApiQueryLogEvents.php index 7c3e6862db..04704f095a 100644 --- a/includes/api/ApiQueryLogEvents.php +++ b/includes/api/ApiQueryLogEvents.php @@ -108,13 +108,10 @@ class ApiQueryLogEvents extends ApiQueryBase { } private function extractRowInfo($row) { - $title = Title :: makeTitle($row->log_namespace, $row->log_title); - if (!$title->userCanRead()) - return false; - $vals = array(); $vals['pageid'] = intval($row->page_id); + $title = Title :: makeTitle($row->log_namespace, $row->log_title); ApiQueryBase :: addTitleInfo($vals, $title); $vals['type'] = $row->log_type; $vals['action'] = $row->log_action; @@ -126,7 +123,7 @@ class ApiQueryLogEvents extends ApiQueryBase { if (isset ($params[0])) { $title = Title :: newFromText($params[0]); if ($title) { - ApiQueryBase :: addTitleInfo($vals, $title, false, "new_"); + ApiQueryBase :: addTitleInfo($vals, $title, "new_"); $params = null; } } diff --git a/includes/api/ApiQueryRecentChanges.php b/includes/api/ApiQueryRecentChanges.php index 07571db7dd..420ff96ec7 100644 --- a/includes/api/ApiQueryRecentChanges.php +++ b/includes/api/ApiQueryRecentChanges.php @@ -125,23 +125,12 @@ class ApiQueryRecentChanges extends ApiQueryBase { $result->addValue('query', $this->getModuleName(), $data); } - /** - * Security overview: As implemented, any change to a restricted page (userCanRead() == false) - * is hidden from the client, except when a page is being moved to a non-restricted name, - * or when a non-restricted becomes restricted. When shown, all other fields are shown as well. - */ private function extractRowInfo($row) { - $title = Title :: makeTitle($row->rc_namespace, $row->rc_title); $movedToTitle = false; if (!empty($row->rc_moved_to_title)) $movedToTitle = Title :: makeTitle($row->rc_moved_to_ns, $row->rc_moved_to_title); - // If either this is an edit of a restricted page, - // or a move where both to and from names are restricted, skip - if (!$title->userCanRead() && (!$movedToTitle || - ($movedToTitle && !$movedToTitle->userCanRead()))) - return false; - + $title = Title :: makeTitle($row->rc_namespace, $row->rc_title); $vals = array (); $vals['type'] = intval($row->rc_type); @@ -149,7 +138,7 @@ class ApiQueryRecentChanges extends ApiQueryBase { if ($this->fld_title) { ApiQueryBase :: addTitleInfo($vals, $title); if ($movedToTitle) - ApiQueryBase :: addTitleInfo($vals, $movedToTitle, false, "new_"); + ApiQueryBase :: addTitleInfo($vals, $movedToTitle, "new_"); } if ($this->fld_ids) { diff --git a/includes/api/ApiQueryRevisions.php b/includes/api/ApiQueryRevisions.php index ea9e69917a..776bb89811 100644 --- a/includes/api/ApiQueryRevisions.php +++ b/includes/api/ApiQueryRevisions.php @@ -90,6 +90,15 @@ class ApiQueryRevisions extends ApiQueryBase { $this->fld_user = true; } if (isset ($prop['content'])) { + + // For each page we will request, the user must have read rights for that page + foreach ($pageSet->getGoodTitles() as $title) { + if( !$title->userCanRead() ) + $this->dieUsage( + 'The current user is not allowed to read ' . $title->getPrefixedText(), + 'accessdenied'); + } + $this->addTables('text'); $this->addWhere('rev_text_id=old_id'); $this->addFields('old_id'); @@ -132,7 +141,7 @@ class ApiQueryRevisions extends ApiQueryBase { // There is only one ID, use it $this->addWhereFld('rev_page', current(array_keys($pageSet->getGoodTitles()))); - + if(!is_null($user)) { $this->addWhereFld('rev_user_text', $user); } elseif (!is_null( $excludeuser)) { diff --git a/includes/api/ApiQueryUserContributions.php b/includes/api/ApiQueryUserContributions.php index 5a910cb504..edcd614ec9 100644 --- a/includes/api/ApiQueryUserContributions.php +++ b/includes/api/ApiQueryUserContributions.php @@ -172,10 +172,6 @@ class ApiQueryContributions extends ApiQueryBase { */ private function extractRowInfo($row) { - $title = Title :: makeTitle($row->page_namespace, $row->page_title); - if (!$title->userCanRead()) - return false; - $vals = array(); if ($this->fld_ids) { @@ -185,7 +181,8 @@ class ApiQueryContributions extends ApiQueryBase { } if ($this->fld_title) - ApiQueryBase :: addTitleInfo($vals, $title); + ApiQueryBase :: addTitleInfo($vals, + Title :: makeTitle($row->page_namespace, $row->page_title)); if ($this->fld_timestamp) $vals['timestamp'] = wfTimestamp(TS_ISO_8601, $row->rev_timestamp); diff --git a/includes/api/ApiQueryWatchlist.php b/includes/api/ApiQueryWatchlist.php index 5cf8ccf74a..e5f2d03e73 100644 --- a/includes/api/ApiQueryWatchlist.php +++ b/includes/api/ApiQueryWatchlist.php @@ -157,14 +157,10 @@ class ApiQueryWatchlist extends ApiQueryGeneratorBase { if ($vals) $data[] = $vals; } else { - $title = Title :: makeTitle($row->rc_namespace, $row->rc_title); - // skip any pages that user has no rights to read - if ($title->userCanRead()) { - if ($allrev) { - $data[] = intval($row->rc_this_oldid); - } else { - $data[] = intval($row->rc_cur_id); - } + if ($allrev) { + $data[] = intval($row->rc_this_oldid); + } else { + $data[] = intval($row->rc_cur_id); } } } @@ -184,10 +180,6 @@ class ApiQueryWatchlist extends ApiQueryGeneratorBase { private function extractRowInfo($row) { - $title = Title :: makeTitle($row->rc_namespace, $row->rc_title); - if (!$title->userCanRead()) - return false; - $vals = array (); if ($this->fld_ids) { @@ -196,7 +188,7 @@ class ApiQueryWatchlist extends ApiQueryGeneratorBase { } if ($this->fld_title) - ApiQueryBase :: addTitleInfo($vals, $title); + ApiQueryBase :: addTitleInfo($vals, Title :: makeTitle($row->rc_namespace, $row->rc_title)); if ($this->fld_user) { $vals['user'] = $row->rc_user_text;