Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

SECURITY: Allow user to only apply protection they have right to do so via action=protect

Browse source 
'apierror-protect-invalidlevel' potentially wants updating at a later point as the
message isn't necessarily clear what the error is; the protection may be valid
but the users right to do so is not.

Bug: T270713
Change-Id: I72fe67264baa4123599ec424a7d780192ca54bcc
This commit is contained in:
Reedy 2021-01-04 18:06:09 +00:00
parent 497b53853d
commit 6b9be9c0e9
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
includes/api/ApiProtect.php
View file

@ -67,6 +67,10 @@ class ApiProtect extends ApiBase {
}
$restrictionTypes = $titleObj->getRestrictionTypes();
$levels = $this->getPermissionManager()->getNamespaceRestrictionLevels(
$titleObj->getNamespace(),
$user
);
$protections = [];
$expiryarray = [];
@ -85,7 +89,7 @@ class ApiProtect extends ApiBase {
if ( !in_array( $p[0], $restrictionTypes ) && $p[0] != 'create' ) {
$this->dieWithError( [ 'apierror-protect-invalidaction', wfEscapeWikiText( $p[0] ) ] );
}
if ( !in_array( $p[1], $this->getConfig()->get( 'RestrictionLevels' ) ) && $p[1] != 'all' ) {
if ( !in_array( $p[1], $levels ) && $p[1] != 'all' ) {
$this->dieWithError( [ 'apierror-protect-invalidlevel', wfEscapeWikiText( $p[1] ) ] );
}