Apply proper restrictions on file revert action

Users should have 'reupload' or 'reupload-own' rights to do file revert. Bug: T304474 Change-Id: I2d0eaeeea237286741708c2b5920fe7cca3acf50 (cherry picked from commit 7b4aee237e257954195c4d695b2cfe2a9a3b4116)
2021-11-09 09:47:14 +00:00 · 2021-11-09 09:47:14 +00:00 · 06b9aa64b2
commit 06b9aa64b2
parent 524b93e175
2 changed files with 17 additions and 0 deletions
--- a/includes/actions/RevertAction.php
+++ b/includes/actions/RevertAction.php
@ -71,6 +71,7 @@ class RevertAction extends FormAction {
 	}

 	public function getRestriction() {
+		// Required permissions of revert are complicated, will be checked below.
 		return 'upload';
 	}

@ -78,6 +79,16 @@ class RevertAction extends FormAction {
 		if ( $this->getTitle()->getNamespace() !== NS_FILE ) {
 			throw new ErrorPageError( $this->msg( 'nosuchaction' ), $this->msg( 'nosuchactiontext' ) );
 		}
+
+		$rights = [ 'reupload' ];
+		if ( $user->equals( $this->getFile()->getUploader() ) ) {
+			// reupload-own is more basic, put it in the front for error messages.
+			array_unshift( $rights, 'reupload-own' );
+		}
+		if ( !$user->isAllowedAny( ...$rights ) ) {
+			throw new PermissionsError( $rights[0] );
+		}
+
 		parent::checkCanExecute( $user );

 		$oldimage = $this->getRequest()->getText( 'oldimage' );
--- a/includes/api/ApiFileRevert.php
+++ b/includes/api/ApiFileRevert.php
@ -61,6 +61,12 @@ class ApiFileRevert extends ApiBase {

 		// Check whether we're allowed to revert this file
 		$this->checkTitleUserPermissions( $this->file->getTitle(), [ 'edit', 'upload' ] );
+		$rights = [ 'reupload' ];
+		if ( $this->getUser()->equals( $this->file->getUploader() ) ) {
+			// reupload-own is more basic, put it in the front for error messages.
+			array_unshift( $rights, 'reupload-own' );
+		}
+		$this->checkUserRightsAny( $rights );

 		$sourceUrl = $this->file->getArchiveVirtualUrl( $this->archiveName );
 		$status = $this->file->upload(