Use Authority::authorizeAction for implicit purge/linkpurge right

Use of Authority::authorizeWrite includes permission checks for the title against the edit rights, which was not the case using User::pingLimiter before 26456e5b / 07a9c87b Bug: T354460 Follow-Up: I9fee34f5b44e947a00f1aaf2d28202d009e2caec Follow-Up: If85e2af107dd901d98e9553d7d38144f1bac62af Change-Id: Ic03714e849bf3bd550f64e194797b45823b42c08
2024-01-26 23:29:09 +01:00 · 2024-01-26 23:29:09 +01:00 · 352fce6eda
commit 352fce6eda
parent 855c7b5913
3 changed files with 7 additions and 15 deletions
--- a/includes/actions/PurgeAction.php
+++ b/includes/actions/PurgeAction.php
@ -45,7 +45,7 @@ class PurgeAction extends FormAction {
 		$page = $this->getWikiPage();

 		$status = PermissionStatus::newEmpty();
-		if ( !$authority->authorizeWrite( 'purge', $page->getTitle(), $status ) ) {
+		if ( !$authority->authorizeAction( 'purge', $status ) ) {
 			return Status::wrap( $status );
 		}

--- a/includes/api/ApiPurge.php
+++ b/includes/api/ApiPurge.php
@ -89,7 +89,7 @@ class ApiPurge extends ApiBase {
 			$page = $this->wikiPageFactory->newFromTitle( $pageIdentity );

 			$authStatus = PermissionStatus::newEmpty();
-			if ( $authority->authorizeWrite( 'purge', $pageIdentity, $authStatus ) ) {
+			if ( $authority->authorizeAction( 'purge', $authStatus ) ) {
 				// Directly purge and skip the UI part of purge()
 				$page->doPurge();
 				$r['purged'] = true;
@ -102,7 +102,7 @@ class ApiPurge extends ApiBase {
 			}

 			if ( $forceLinkUpdate || $forceRecursiveLinkUpdate ) {
-				if ( $authority->authorizeWrite( 'linkpurge', $pageIdentity, $authStatus ) ) {
+				if ( $authority->authorizeAction( 'linkpurge', $authStatus ) ) {
 					# Logging to better see expensive usage patterns
 					if ( $forceRecursiveLinkUpdate ) {
 						LoggerFactory::getInstance( 'RecursiveLinkPurge' )->info(
--- a/tests/phpunit/includes/api/ApiPurgeTest.php
+++ b/tests/phpunit/includes/api/ApiPurgeTest.php
@ -1,6 +1,5 @@
 <?php

-use MediaWiki\Page\PageIdentity;
 use MediaWiki\Permissions\Authority;
 use MediaWiki\Permissions\PermissionStatus;

@ -55,7 +54,7 @@ class ApiPurgeTest extends ApiTestCase {
 		$authority = $this->createNoOpMock(
 			Authority::class,
 			[
-				'authorizeWrite',
+				'authorizeAction',
 				'getUser',
 				'isAllowed',
 				'getBlock'
@ -65,15 +64,9 @@ class ApiPurgeTest extends ApiTestCase {
 		$authority->method( 'getUser' )->willReturn( $user );
 		$authority->method( 'getBlock' )->willReturn( null );
 		$authority->method( 'isAllowed' )->willReturn( true );
-		$authority->method( 'authorizeWrite' )->willReturnCallback(
-			static function ( string $action, PageIdentity $page, PermissionStatus $status )
-				use ( $page1 )
-			{
-				if ( $page->getDBkey() === $page1 ) {
-					$status->fatal( 'permissionserrors' );
-				} else {
-					$status->setRateLimitExceeded();
-				}
+		$authority->method( 'authorizeAction' )->willReturnCallback(
+			static function ( string $action, PermissionStatus $status ) {
+				$status->setRateLimitExceeded();

 				return false;
 			}
@ -87,7 +80,6 @@ class ApiPurgeTest extends ApiTestCase {
 		$this->assertNotEmpty( $data['warnings']['purge']['warnings'] );
 		$warnings = $data['warnings']['purge']['warnings'];

-		$this->assertStringContainsString( 'Permission error', $warnings );
 		$this->assertStringContainsString( 'exceeded your rate limit', $warnings );
 	}
 }