From: jenkins-bot Date: Tue, 10 Sep 2019 19:55:28 +0000 (+0000) Subject: Merge "api: Make ApiQuery(All)DeletedRevisions accessible to everyone" X-Git-Tag: 1.34.0-rc.0~274 X-Git-Url: https://git.cyclocoop.org/admin/?a=commitdiff_plain;h=5b8a12363dea7640a9e59234cd64d5b890762982;hp=93f78d904d22fc0e22d373d0aea253493ee640fc;p=lhc%2Fweb%2Fwiklou.git Merge "api: Make ApiQuery(All)DeletedRevisions accessible to everyone" --- diff --git a/RELEASE-NOTES-1.34 b/RELEASE-NOTES-1.34 index b8c9102d82..076f2f568e 100644 --- a/RELEASE-NOTES-1.34 +++ b/RELEASE-NOTES-1.34 @@ -162,8 +162,8 @@ $wgPasswordPolicy['policies']['default']['PasswordNotInLargeBlacklist'] = false; === Action API changes in 1.34 === * The 'recenteditcount' response property from action=query list=allusers, deprecated in 1.25, has been removed. -* (T60993) action=query list=filearchive no longer requires the 'deletedhistory' - user right. +* (T60993) action=query list=filearchive, list=alldeletedrevisions and + prop=deletedrevisions no longer require the 'deletedhistory' user right. === Action API internal changes in 1.34 === * The exception thrown in ApiModuleManager::getModule has been changed diff --git a/includes/api/ApiQueryAllDeletedRevisions.php b/includes/api/ApiQueryAllDeletedRevisions.php index 7d6d342113..2a499844a4 100644 --- a/includes/api/ApiQueryAllDeletedRevisions.php +++ b/includes/api/ApiQueryAllDeletedRevisions.php @@ -43,9 +43,6 @@ class ApiQueryAllDeletedRevisions extends ApiQueryRevisionsBase { * @return void */ protected function run( ApiPageSet $resultPageSet = null ) { - // Before doing anything at all, let's check permissions - $this->checkUserRightsAny( 'deletedhistory' ); - $user = $this->getUser(); $db = $this->getDB(); $params = $this->extractRequestParams( false ); @@ -144,8 +141,15 @@ class ApiQueryAllDeletedRevisions extends ApiQueryRevisionsBase { } // This means stricter restrictions - if ( $this->fetchContent ) { - $this->checkUserRightsAny( [ 'deletedtext', 'undelete' ] ); + if ( ( $this->fld_comment || $this->fld_parsedcomment ) && + !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) + ) { + $this->dieWithError( 'apierror-cantview-deleted-comment', 'permissiondenied' ); + } + if ( $this->fetchContent && + !$this->getPermissionManager()->userHasAnyRight( $user, 'deletedtext', 'undelete' ) + ) { + $this->dieWithError( 'apierror-cantview-deleted-revision-content', 'permissiondenied' ); } $miser_ns = null; @@ -235,8 +239,6 @@ class ApiQueryAllDeletedRevisions extends ApiQueryRevisionsBase { if ( !is_null( $params['user'] ) || !is_null( $params['excludeuser'] ) ) { // Paranoia: avoid brute force searches (T19342) - // (shouldn't be able to get here without 'deletedhistory', but - // check it again just in case) if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) { $bitmask = RevisionRecord::DELETED_USER; } elseif ( !$this->getPermissionManager() diff --git a/includes/api/ApiQueryDeletedRevisions.php b/includes/api/ApiQueryDeletedRevisions.php index fc88499885..12fd20ae59 100644 --- a/includes/api/ApiQueryDeletedRevisions.php +++ b/includes/api/ApiQueryDeletedRevisions.php @@ -40,8 +40,6 @@ class ApiQueryDeletedRevisions extends ApiQueryRevisionsBase { protected function run( ApiPageSet $resultPageSet = null ) { $user = $this->getUser(); - // Before doing anything at all, let's check permissions - $this->checkUserRightsAny( 'deletedhistory' ); $pageSet = $this->getPageSet(); $pageMap = $pageSet->getGoodAndMissingTitlesByNamespace(); @@ -95,8 +93,15 @@ class ApiQueryDeletedRevisions extends ApiQueryRevisionsBase { } // This means stricter restrictions - if ( $this->fetchContent ) { - $this->checkUserRightsAny( [ 'deletedtext', 'undelete' ] ); + if ( ( $this->fld_comment || $this->fld_parsedcomment ) && + !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) + ) { + $this->dieWithError( 'apierror-cantview-deleted-comment', 'permissiondenied' ); + } + if ( $this->fetchContent && + !$this->getPermissionManager()->userHasAnyRight( $user, 'deletedtext', 'undelete' ) + ) { + $this->dieWithError( 'apierror-cantview-deleted-revision-content', 'permissiondenied' ); } $dir = $params['dir']; @@ -130,8 +135,6 @@ class ApiQueryDeletedRevisions extends ApiQueryRevisionsBase { if ( !is_null( $params['user'] ) || !is_null( $params['excludeuser'] ) ) { // Paranoia: avoid brute force searches (T19342) - // (shouldn't be able to get here without 'deletedhistory', but - // check it again just in case) if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) { $bitmask = RevisionRecord::DELETED_USER; } elseif ( !$this->getPermissionManager() diff --git a/includes/api/i18n/en.json b/includes/api/i18n/en.json index 35e45f1005..cc5e872cee 100644 --- a/includes/api/i18n/en.json +++ b/includes/api/i18n/en.json @@ -1727,8 +1727,10 @@ "apierror-cantoverwrite-sharedfile": "The target file exists on a shared repository and you do not have permission to override it.", "apierror-cantsend": "You are not logged in, you do not have a confirmed email address, or you are not allowed to send email to other users, so you cannot send email.", "apierror-cantundelete": "Couldn't undelete: the requested revisions may not exist, or may have been undeleted already.", + "apierror-cantview-deleted-comment": "You don't have permission to view deleted comments.", "apierror-cantview-deleted-description": "You don't have permission to view descriptions of deleted files.", "apierror-cantview-deleted-metadata": "You don't have permission to view metadata of deleted files.", + "apierror-cantview-deleted-revision-content": "You don't have permission to view content of deleted revisions.", "apierror-changeauth-norequest": "Failed to create change request.", "apierror-chunk-too-small": "Minimum chunk size is $1 {{PLURAL:$1|byte|bytes}} for non-final chunks.", "apierror-cidrtoobroad": "$1 CIDR ranges broader than /$2 are not accepted.", diff --git a/includes/api/i18n/qqq.json b/includes/api/i18n/qqq.json index e796d25016..b648443729 100644 --- a/includes/api/i18n/qqq.json +++ b/includes/api/i18n/qqq.json @@ -1615,8 +1615,10 @@ "apierror-cantoverwrite-sharedfile": "{{doc-apierror}}", "apierror-cantsend": "{{doc-apierror}}", "apierror-cantundelete": "{{doc-apierror}}", + "apierror-cantview-deleted-comment": "{{doc-apierror}}", "apierror-cantview-deleted-description": "{{doc-apierror}}", "apierror-cantview-deleted-metadata": "{{doc-apierror}}", + "apierror-cantview-deleted-revision-content": "{{doc-apierror}}", "apierror-changeauth-norequest": "{{doc-apierror}}", "apierror-chunk-too-small": "{{doc-apierror}}\n\nParameters:\n* $1 - Minimum size in bytes.", "apierror-cidrtoobroad": "{{doc-apierror}}\n\nParameters:\n* $1 - \"IPv4\" or \"IPv6\"\n* $2 - Minimum CIDR mask length.",