X-Git-Url: https://git.cyclocoop.org/admin/?a=blobdiff_plain;f=includes%2FTitle.php;h=ca62e0e0dece2575d9357f2ac6a661cf0cdfcefe;hb=b0df641d31ce0faa4c77db5678ca3c8393778dec;hp=12186394c57aca0e8414bbb68f0369f87df8c2c9;hpb=4444f35d1d9f23bcb777fd4c19f8ea42888ae4a9;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/Title.php b/includes/Title.php index 12186394c5..ca62e0e0de 100644 --- a/includes/Title.php +++ b/includes/Title.php @@ -134,8 +134,15 @@ class Title implements LinkTarget { /** @var bool Boolean for initialisation on demand */ public $mRestrictionsLoaded = false; - /** @var string Text form including namespace/interwiki, initialised on demand */ - protected $mPrefixedText = null; + /** + * Text form including namespace/interwiki, initialised on demand + * + * Only public to share cache with TitleFormatter + * + * @private + * @var string + */ + public $prefixedText = null; /** @var mixed Cached value for getTitleProtection (create protection) */ public $mTitleProtection; @@ -1119,7 +1126,9 @@ class Title implements LinkTarget { */ public function isSpecial( $name ) { if ( $this->isSpecialPage() ) { - list( $thisName, /* $subpage */ ) = SpecialPageFactory::resolveAlias( $this->mDbkeyform ); + list( $thisName, /* $subpage */ ) = + MediaWikiServices::getInstance()->getSpecialPageFactory()-> + resolveAlias( $this->mDbkeyform ); if ( $name == $thisName ) { return true; } @@ -1135,9 +1144,10 @@ class Title implements LinkTarget { */ public function fixSpecialName() { if ( $this->isSpecialPage() ) { - list( $canonicalName, $par ) = SpecialPageFactory::resolveAlias( $this->mDbkeyform ); + $spFactory = MediaWikiServices::getInstance()->getSpecialPageFactory(); + list( $canonicalName, $par ) = $spFactory->resolveAlias( $this->mDbkeyform ); if ( $canonicalName ) { - $localName = SpecialPageFactory::getLocalNameFor( $canonicalName, $par ); + $localName = $spFactory->getLocalNameFor( $canonicalName, $par ); if ( $localName != $this->mDbkeyform ) { return self::makeTitle( NS_SPECIAL, $localName ); } @@ -1470,6 +1480,22 @@ class Title implements LinkTarget { ); } + /** + * Is this a message which can contain raw HTML? + * + * @return bool + * @since 1.32 + */ + public function isRawHtmlMessage() { + global $wgRawHtmlMessages; + + if ( !$this->inNamespace( NS_MEDIAWIKI ) ) { + return false; + } + $message = lcfirst( $this->getRootTitle()->getDBkey() ); + return in_array( $message, $wgRawHtmlMessages, true ); + } + /** * Is this a talk page of some sort? * @@ -1666,12 +1692,12 @@ class Title implements LinkTarget { * @return string The prefixed title, with spaces */ public function getPrefixedText() { - if ( $this->mPrefixedText === null ) { + if ( $this->prefixedText === null ) { $s = $this->prefix( $this->mTextform ); $s = strtr( $s, '_', ' ' ); - $this->mPrefixedText = $s; + $this->prefixedText = $s; } - return $this->mPrefixedText; + return $this->prefixedText; } /** @@ -2382,6 +2408,13 @@ class Title implements LinkTarget { $error = [ 'sitejsonprotected', $action ]; } elseif ( $this->isSiteJsConfigPage() && !$user->isAllowed( 'editsitejs' ) ) { $error = [ 'sitejsprotected', $action ]; + } elseif ( $this->isRawHtmlMessage() ) { + // Raw HTML can be used to deploy CSS or JS so require rights for both. + if ( !$user->isAllowed( 'editsitejs' ) ) { + $error = [ 'sitejsprotected', $action ]; + } elseif ( !$user->isAllowed( 'editsitecss' ) ) { + $error = [ 'sitecssprotected', $action ]; + } } if ( $error ) { @@ -2413,25 +2446,34 @@ class Title implements LinkTarget { # Protect css/json/js subpages of user pages # XXX: this might be better using restrictions - if ( $action != 'patrol' ) { - if ( preg_match( '/^' . preg_quote( $user->getName(), '/' ) . '\//', $this->mTextform ) ) { - if ( - $this->isUserCssConfigPage() - && !$user->isAllowedAny( 'editmyusercss', 'editusercss' ) - ) { - $errors[] = [ 'mycustomcssprotected', $action ]; - } elseif ( - $this->isUserJsonConfigPage() - && !$user->isAllowedAny( 'editmyuserjson', 'edituserjson' ) - ) { - $errors[] = [ 'mycustomjsonprotected', $action ]; - } elseif ( - $this->isUserJsConfigPage() - && !$user->isAllowedAny( 'editmyuserjs', 'edituserjs' ) - ) { - $errors[] = [ 'mycustomjsprotected', $action ]; - } - } else { + if ( $action === 'patrol' ) { + return []; + } + + if ( preg_match( '/^' . preg_quote( $user->getName(), '/' ) . '\//', $this->mTextform ) ) { + // Users need editmyuser* to edit their own CSS/JSON/JS subpages. + if ( + $this->isUserCssConfigPage() + && !$user->isAllowedAny( 'editmyusercss', 'editusercss' ) + ) { + $errors[] = [ 'mycustomcssprotected', $action ]; + } elseif ( + $this->isUserJsonConfigPage() + && !$user->isAllowedAny( 'editmyuserjson', 'edituserjson' ) + ) { + $errors[] = [ 'mycustomjsonprotected', $action ]; + } elseif ( + $this->isUserJsConfigPage() + && !$user->isAllowedAny( 'editmyuserjs', 'edituserjs' ) + ) { + $errors[] = [ 'mycustomjsprotected', $action ]; + } + } else { + // Users need editmyuser* to edit their own CSS/JSON/JS subpages, except for + // deletion/suppression which cannot be used for attacks and we want to avoid the + // situation where an unprivileged user can post abusive content on their subpages + // and only very highly privileged users could remove it. + if ( !in_array( $action, [ 'delete', 'deleterevision', 'suppressrevision' ], true ) ) { if ( $this->isUserCssConfigPage() && !$user->isAllowed( 'editusercss' ) @@ -2705,7 +2747,9 @@ class Title implements LinkTarget { } elseif ( $this->isSpecialPage() ) { # If it's a special page, ditch the subpage bit and check again $name = $this->mDbkeyform; - list( $name, /* $subpage */ ) = SpecialPageFactory::resolveAlias( $name ); + list( $name, /* $subpage */ ) = + MediaWikiServices::getInstance()->getSpecialPageFactory()-> + resolveAlias( $name ); if ( $name ) { $pure = SpecialPage::getTitleFor( $name )->getPrefixedText(); if ( in_array( $pure, $wgWhitelistRead, true ) ) { @@ -4678,7 +4722,8 @@ class Title implements LinkTarget { return (bool)wfFindFile( $this ); case NS_SPECIAL: // valid special page - return SpecialPageFactory::exists( $this->mDbkeyform ); + return MediaWikiServices::getInstance()->getSpecialPageFactory()-> + exists( $this->mDbkeyform ); case NS_MAIN: // selflink, possibly with fragment return $this->mDbkeyform == '';