Fix permissions check (#496)

See comment.
miraheze · Mar 27, 2024 · 6bc0685 · 6bc0685
1 parent 0c95d0d
commit 6bc0685
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/includes/RequestWiki/Handler/RestWikiRequest.php b/includes/RequestWiki/Handler/RestWikiRequest.php
@@ -60,9 +60,19 @@ public function run( $id ) {
 		);
 		if ( $wikiRequest ) {
 			$wikiRequestVisibility = $visibilityConds[$wikiRequest->cw_visibility];
-			if ( !$this->getAuthority()->isAllowed( $wikiRequestVisibility ) ) {
-				// User does not have permission to view this wiki request
-				return $this->getResponseFactory()->createHttpError( 404, ['message' => 'Request not found'] );
+
+			/*
+			 * CreateWiki is enabled globally on all wikis in the farm.
+			 *
+			 * Require both (createwiki) and the required permission to prevent suppressed requests from
+			 * being revealed to local suppressors/sysops
+			 */
+
+			if ( $wikiRequestVisibility !== 'read' ) {
+				if ( !$this->getAuthority()->isAllowedAll( 'createwiki', $wikiRequestVisibility ) ) {
+					// User does not have permission to view this request
+					return $this->getResponseFactory()->createHttpError( 404, ['message' => 'Request not found'] );
+				}
 			}
 			$response = [
 				'comment' => $wikiRequest->cw_comment,