MediaWiki r25944 - Code Review

Jump to: navigation, search
Repository:MediaWiki
Revision:r25943‎ | r25944 (on ViewVC)‎ | r25945 >
Date:20:04, 19 September 2007
Author:daniel
Status:old
Tags:
Comment:
security fix (read-protection): use anon user privileges when checking what should be shown in the RC RSS feed. Previously, a 'privileged' version might have been cached and served to everyone.
Modified paths:

Diff [purge]

Index: trunk/phase3/includes/SpecialRecentchanges.php
===================================================================
--- trunk/phase3/includes/SpecialRecentchanges.php	(revision 25943)
+++ trunk/phase3/includes/SpecialRecentchanges.php	(revision 25944)
@@ -622,7 +622,13 @@
 	$skin = $wgUser->getSkin();
 	$completeText = '<p>' . $skin->formatComment( $comment ) . "</p>\n";
 
-	if( $title->getNamespace() >= 0 && $title->userCan( 'read' ) ) {
+	//NOTE: Check permissions for anonymous users, not current user.
+	//      No "privileged" version should end up in the cache.
+	//      Most feed readers will not log in anway.
+	$anon = new User();
+	$accErrors = $title->getUserPermissionsErrors( 'read', $anon, true );
+
+	if( $title->getNamespace() >= 0 && !$accErrors ) {
 		if( $oldid ) {
 			wfProfileIn( "$fname-dodiff" );
 

Follow-up revisions

Rev.Commit summaryAuthorDate
r26015Merged revisions 25932-26011 via svnmerge from...david21:05, 21 September 2007

Status & tagging log

  • 15:20, 12 September 2011 Meno25 (Talk | contribs) changed the status of r25944 [removed: ok added: old]
Personal tools
Namespaces
Variants
Views
Actions
Site
Support
Download
Development
Communication
Toolbox