message, the level of protection.
* (bug 9611) Supply the blocker and reason for the cantcreateaccounttext
message.
+* (bug 8759) Fixed bug where rollback was allowed on protected pages for wikis
+ where rollback is given to non-sysops.
=== API changes in 1.12 ===
public function doRollback( $fromP, $summary, $token, $bot, &$resultDetails ) {
global $wgUser, $wgUseRCPatrol;
$resultDetails = null;
-
- if( $wgUser->isAllowed( 'rollback' ) ) {
+
+ # Just in case it's being called from elsewhere
+
+ if( $wgUser->isAllowed( 'rollback' ) && $this->mTitle->userCan( 'edit' ) ) {
if( $wgUser->isBlocked() ) {
return self::BLOCKED;
}
if ( wfReadOnly() ) {
return self::READONLY;
}
+
if( !$wgUser->matchEditToken( $token, array( $this->mTitle->getPrefixedText(), $fromP ) ) )
return self::BAD_TOKEN;
global $wgUser, $wgOut, $wgRequest, $wgUseRCPatrol;
$details = null;
+
+ # Skip the permissions-checking in doRollback() itself, by checking permissions here.
+
+ $perm_errors = array_merge( $this->mTitle->getUserPermissionsErrors( 'edit', $wgUser ),
+ $this->mTitle->getUserPermissionsErrors( 'rollback', $wgUser ) );
+
+ if (count($perm_errors)) {
+ $wgOut->showPermissionsErrorPage( $perm_errors );
+ return;
+ }
+
$result = $this->doRollback(
$wgRequest->getVal( 'from' ),
$wgRequest->getText( 'summary' ),