SECURITY: Do not show log action if revdeleted
Also do not include revdeleted entries in search results when filtering by action if user cannot view that info. Bug: 72222 Change-Id: I359ce3c67b1a7c24b76a8bade62ce0c77ff5efb0
This commit is contained in:
csteipp
mglaser
parent
ffdd99bef1
commit
89b793b9f7
1 changed files with 11 additions and 5 deletions
|
|
@ -200,7 +200,8 @@ class ApiQueryLogEvents extends ApiQueryBase {
|
|||
}
|
||||
|
||||
// Paranoia: avoid brute force searches (bug 17342)
|
||||
if ( $params['namespace'] !== null || !is_null( $title ) || !is_null( $user ) ) {
|
||||
$hideActions = $params['namespace'] !== null || !is_null( $title ) || !is_null( $params['action'] );
|
||||
if ( $hideActions || !is_null( $user ) ) {
|
||||
if ( !$this->getUser()->isAllowed( 'deletedhistory' ) ) {
|
||||
$titleBits = LogPage::DELETED_ACTION;
|
||||
$userBits = LogPage::DELETED_USER;
|
||||
|
|
@ -211,7 +212,7 @@ class ApiQueryLogEvents extends ApiQueryBase {
|
|||
$titleBits = 0;
|
||||
$userBits = 0;
|
||||
}
|
||||
if ( ( $params['namespace'] !== null || !is_null( $title ) ) && $titleBits ) {
|
||||
if ( $hideActions && $titleBits ) {
|
||||
$this->addWhere( $db->bitAnd( 'log_deleted', $titleBits ) . " != $titleBits" );
|
||||
}
|
||||
if ( !is_null( $user ) && $userBits ) {
|
||||
|
|
@ -372,12 +373,18 @@ class ApiQueryLogEvents extends ApiQueryBase {
|
|||
$title = Title::makeTitle( $row->log_namespace, $row->log_title );
|
||||
}
|
||||
|
||||
if ( $this->fld_title || $this->fld_ids || $this->fld_details && $row->log_params !== '' ) {
|
||||
if ( $this->fld_title || $this->fld_ids || $this->fld_type
|
||||
|| $this->fld_details && $row->log_params !== ''
|
||||
) {
|
||||
if ( LogEventsList::isDeleted( $row, LogPage::DELETED_ACTION ) ) {
|
||||
$vals['actionhidden'] = '';
|
||||
$anyHidden = true;
|
||||
}
|
||||
if ( LogEventsList::userCan( $row, LogPage::DELETED_ACTION, $user ) ) {
|
||||
|
||||
if ( $this->fld_type ) {
|
||||
$vals['action'] = $row->log_action;
|
||||
}
|
||||
if ( $this->fld_title ) {
|
||||
ApiQueryBase::addTitleInfo( $vals, $title );
|
||||
}
|
||||
|
|
@ -399,9 +406,8 @@ class ApiQueryLogEvents extends ApiQueryBase {
|
|||
}
|
||||
}
|
||||
|
||||
if ( $this->fld_type || $this->fld_action ) {
|
||||
if ( $this->fld_type ) {
|
||||
$vals['type'] = $row->log_type;
|
||||
$vals['action'] = $row->log_action;
|
||||
}
|
||||
|
||||
if ( $this->fld_user || $this->fld_userid ) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue