r25944 - Code Review

From MediaWiki.org

Jump to: navigation, search
Repository:MediaWiki
Revision:r25943 | r25944 (on ViewVC) | r25945 >
Date:20:04, 19 September 2007
Author:daniel
Status:ok
Tags:
Comment:security fix (read-protection): use anon user privileges when checking what should be shown in the RC RSS feed. Previously, a 'privileged' version might have been cached and served to everyone.
Modified paths:

Diff [purge]

Index: trunk/phase3/includes/SpecialRecentchanges.php
===================================================================
--- trunk/phase3/includes/SpecialRecentchanges.php	(revision 25943)
+++ trunk/phase3/includes/SpecialRecentchanges.php	(revision 25944)
@@ -622,7 +622,13 @@
 	$skin = $wgUser->getSkin();
 	$completeText = '<p>' . $skin->formatComment( $comment ) . "</p>\n";
 
-	if( $title->getNamespace() >= 0 && $title->userCan( 'read' ) ) {
+	//NOTE: Check permissions for anonymous users, not current user.
+	//      No "privileged" version should end up in the cache.
+	//      Most feed readers will not log in anway.
+	$anon = new User();
+	$accErrors = $title->getUserPermissionsErrors( 'read', $anon, true );
+
+	if( $title->getNamespace() >= 0 && !$accErrors ) {
 		if( $oldid ) {
 			wfProfileIn( "$fname-dodiff" );

Follow-up revisions

RevisionCommit summaryAuthorDate
r26015Merged revisions 25932-26011 via svnmerge fromdavid21:05, 21 September 2007
Retrieved from "http://www.mediawiki.org/wiki/Special:Code/MediaWiki/25944"
Views
Toolbox