Skip to content

Commit

Permalink
Merge pull request from GHSA-4rcf-3cj2-46mq
Browse files Browse the repository at this point in the history 
* Require `(createwiki)` user right to see suppressed wiki requests

* Check for `(read)`
  • Loading branch information
@redbluegreenhat
redbluegreenhat committed Mar 27, 2024
1 parent 6bc0685 commit b2fd86c
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 4 deletions.
2 changes: 1 addition & 1 deletion includes/RequestWiki/Handler/RestWikiRequest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ public function run( $id ) {
* being revealed to local suppressors/sysops
*/

if ( $wikiRequestVisibility !== 'read' ) {
if ( $wikiRequestVisibility !== 'read' && $this->getAuthority()->isAllowed( 'read' ) ) {
if ( !$this->getAuthority()->isAllowedAll( 'createwiki', $wikiRequestVisibility ) ) {
// User does not have permission to view this request
return $this->getResponseFactory()->createHttpError( 404, ['message' => 'Request not found'] );
Expand Down
8 changes: 5 additions & 3 deletions includes/RequestWiki/RequestWikiRequestViewer.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,12 @@ public function getFormDescriptor(
// but if we can't view the request, it also doesn't exist
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();

if ( !$permissionManager->userHasRight( $userR, $visibilityConds[$request->visibility] ) ) {
$context->getOutput()->addHTML( Html::errorBox( wfMessage( 'requestwiki-unknown' )->escaped() ) );
if ( !$visibilityConds[$request->visibility] !== 'read' && $permissionManager->userHasRight( $userR, 'read' ) ) {
if ( !$permissionManager->userHasAllRights( $userR, 'createwiki', $visibilityConds[$request->visibility] ) ) {
$context->getOutput()->addHTML( Html::errorBox( wfMessage( 'requestwiki-unknown' )->escaped() ) );

return [];
return [];
}
}

$formDescriptor = [
Expand Down

0 comments on commit b2fd86c

Please sign in to comment.