r112604 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r112603‎ \| r112604 \| r112605 >
Date:	15:38, 28 February 2012
Author:	emsmith
Status:	ok (Comments)
Tags:
Comment:	bug 34090 - can't believe there were no permissions checks in this - only delete group can delete and reset oversight, hide group can hide and request oversight, everybody else can helpful/unhelpful and flag as abuse
Modified paths:	/trunk/extensions/ArticleFeedbackv5/api/ApiFlagFeedbackArticleFeedbackv5.php (modified) (history)

Diff [purge]

Index: trunk/extensions/ArticleFeedbackv5/api/ApiFlagFeedbackArticleFeedbackv5.php
—	—	@@ -45,6 +45,9 @@
46	46	$direction = isset( $params['direction'] ) ? $params['direction'] : 'increase';
47	47	$where = array( 'af_id' => $feedbackId );
48	48
	49	+ // woah, we were not checking for permissions (that could have been script kiddy bad)
	50	+ global $wgUser;
	51	+
49	52	// we use ONE db connection that talks to master
50	53	$dbw = wfGetDB( DB_MASTER );
51	54	$dbw->begin();
—	—	@@ -56,7 +59,7 @@
57	60	// no-op, because this is already broken
58	61	$error = 'articlefeedbackv5-invalid-feedback-id';
59	62
60		~~- } elseif ( 'delete' == $flag ) {~~
	63	+ } elseif ( 'delete' == $flag && $wgUser->isAllowed( 'aftv5-delete-feedback' )) {
61	64
62	65	// deleting means to "mark as oversighted" and "delete" it
63	66	// oversighting also auto-hides the item
—	—	@@ -96,7 +99,7 @@
97	100	$filters['notdeleted'] = 1;
98	101	}
99	102
100		~~- } elseif ( 'hide' == $flag ) {~~
	103	+ } elseif ( 'hide' == $flag && $wgUser->isAllowed( 'aftv5-hide-feedback' )) {
101	104
102	105	// increase means "hide this"
103	106	if( $direction == 'increase' ) {
—	—	@@ -118,7 +121,7 @@
119	122	$filters = $this->changeFilterCounts( $record, $filters, 'show' );
120	123	}
121	124
122		~~- } elseif( 'resetoversight' === $flag) {~~
	125	+ } elseif( 'resetoversight' === $flag && $wgUser->isAllowed( 'aftv5-delete-feedback' )) {
123	126
124	127	$activity = 'decline';
125	128	// oversight request count becomes 0
—	—	@@ -193,7 +196,7 @@
194	197	}
195	198
196	199	// NOTE: this is actually request/unrequest oversight and works similar to abuse
197		~~- } elseif( 'oversight' === $flag) {~~
	200	+ } elseif( 'oversight' === $flag && $wgUser->isAllowed( 'aftv5-hide-feedback' )) {
198	201
199	202	if($direction == 'increase') {
200	203	$activity = 'request';

Follow-up revisions

Revision	Commit summary	Author	Date
r112610	bug 34090 - change all sql updates to use escaping except for explicitly comm...	emsmith	16:22, 28 February 2012
r112611	bug 34090 - take out implicit show and add returning user that hid/oversighte...	emsmith	17:02, 28 February 2012
r112627	bug 34090 - follow up to r112599 - change to use getText since it's going int...	emsmith	18:53, 28 February 2012
r112825	bug 34090 - insert custom attributes (sigh) for the user and formatted timest...	emsmith	18:14, 1 March 2012
r112830	bug 34090 - follow up to r111474 - use truncate for chopping	emsmith	19:42, 1 March 2012
r113052	bug 34090 - remaining backend feature in requirements, oversight email genera...	emsmith	18:04, 5 March 2012
r113062	bug 34090 - follow up to r110520 1. change index 2. default of null for conti...	emsmith	18:54, 5 March 2012
r113073	bug 34090 - follow up to r111472 part 1 - change to use getDbKey, check for b...	emsmith	19:48, 5 March 2012
r113082	bug 34090 - follow up to r111471 - changed to use text()	emsmith	20:42, 5 March 2012
r113083	bug 34090 - follow up to rr111472 part 2 - only use log_id for ordering	emsmith	20:48, 5 March 2012
r113104	bug 34090 - follow up to rr111472 part 3 - totally redo the continue function...	emsmith	23:10, 5 March 2012
r113159	bug 34090 - follow up to rr111472 part 4 and follow up to r111596 (same issue...	emsmith	17:37, 6 March 2012
r113160	bug 34090 - follow up to rr111472 part 5 plural and number format action count	emsmith	17:48, 6 March 2012
r113161	bug 34090 - follow up to rr111472 part 6 last of lego messages	emsmith	17:53, 6 March 2012
r113163	bug 34090 - two additional configuration settings (help url and admin user ur...	emsmith	18:02, 6 March 2012
r113193	bug 34090 - followup to r113104 - only sort by timestamp (sorting by log id w...	emsmith	22:56, 6 March 2012
r113228	bug 34090 - followup to r113160	emsmith	14:05, 7 March 2012
r113247	bug 34090 - db issue, remove one of the sorts from the query, use the ids arr...	emsmith	16:52, 7 March 2012
r113269	bug 34090 - followup to r113247	emsmith	19:01, 7 March 2012
r113273	bug 34090 - add javascript level hiding on request oversight IF autohidden is...	emsmith	19:22, 7 March 2012
r113287	bug 34090 - usernames and formatted timestamps into red lines for hidden/over...	emsmith	20:22, 7 March 2012
r113311	bug 34090 - fixing the username bugs - apparently using the data- stuff with ...	emsmith	22:34, 7 March 2012
r113317	bug 34090 - js and css voodoo to make the element with the red lines appear a...	emsmith	23:01, 7 March 2012
r113370	bug 34090 - make different titles for masking appear if it's been hidden or o...	emsmith	16:43, 8 March 2012
r113371	bug 34090 - fixes for oversighter view for hide/oversight panels	emsmith	17:51, 8 March 2012
r113383	bug 34090 - not entirely necessary, but keeps $2 from showing up in hiders pa...	emsmith	19:25, 8 March 2012
r113384	bug 34090 - fix for double red line issues when hiding an oversighted post ha...	emsmith	19:28, 8 March 2012
r113390	bug 34090 - adding translation for "automatic hider" user	emsmith	19:44, 8 March 2012
r113392	bug 34090 - followup to r113287 - adjusted localization documentation	emsmith	20:03, 8 March 2012
r113393	bug 34090 - followup to r113370 - adjusted localization documentation	emsmith	20:05, 8 March 2012

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r111211	bug 34090 - Added a log namespace and log types for the Article Feedback v5 e...	emsmith	22:53, 10 February 2012
r111472	bug 34090 - Added an additional column in the main feedback table to keep a c...	emsmith	19:14, 14 February 2012
r111474	bug 34090 - remove a todo - take the note from the flag submission and save i...	emsmith	19:57, 14 February 2012
r111552	bug 34090 - split activity notes into their own config for maximum length (th...	emsmith	16:07, 15 February 2012
r111557	bug 34090 - changed structure of the link classes and ids per the following f...	emsmith	16:47, 15 February 2012
r111570	bug 34090 - request oversight is now a counter - so you can request/unrequest...	emsmith	19:53, 15 February 2012
r111573	bug 34090 - removed the "header" portion of the html generation from the acti...	emsmith	20:18, 15 February 2012
r111645	bug 34090 - updated the filter count update script to get requested oversight...	emsmith	15:45, 16 February 2012
r112038	bug 34090 - added additional counts for filters including unhidden, undeleted...	emsmith	20:28, 21 February 2012
r112039	bug 34090 - fixed issue noted : if $feedback is false return nothing - not th...	emsmith	20:50, 21 February 2012
r112041	bug 34090 - kill the -1 issue by never letting it get below 0	emsmith	21:08, 21 February 2012
r112115	bug 34090 - no code changes, just fixing/adding keyword svn properties	emsmith	16:31, 22 February 2012
r112119	bug 34090 - cast the naughty column so it can be signed, the greatest still k...	emsmith	16:57, 22 February 2012
r112142	bug 34090 - toggle for atomic un/helpful changing (and elimination of an extr...	emsmith	20:37, 22 February 2012
r112147	bug 34090 - note to self, watch the copy and paste errors...	emsmith	21:01, 22 February 2012
r112149	bug 34090 - no upper limit, only lower limit - we can't get any worse then 0	emsmith	21:21, 22 February 2012
r112154	bug 34090 - quick and dirty helper script to get missing documentation keys	emsmith	21:57, 22 February 2012
r112156	bug 34090 - only send the activity header if continue < 1, make the more div ...	emsmith	22:14, 22 February 2012
r112161	bug 34090 - fix limit and use old continue to determine if we do the header	emsmith	23:15, 22 February 2012
r112218	bug 34090 - make sure the name are right for hidden/unhidden logging (argh)	emsmith	16:44, 23 February 2012
r112225	bug 34090 - unhidden and unoversight logic adjustments	emsmith	18:06, 23 February 2012
r112228	bug 34090 - fix filter - needsoversight are always autohidden	emsmith	19:16, 23 February 2012
r112230	bug 34090 - let's try this again - needsoversight and declined will have hidd...	emsmith	19:38, 23 February 2012
r112232	bug 34090 - hide and show shouldn't fiddle with oversight counts or declined ...	emsmith	19:48, 23 February 2012
r112599	bug 34090 - follow up to r111211 - rename things to make them "less confusin...	emsmith	14:43, 28 February 2012
r112603	bug 34090 - Add the logging of automated hide/show errors by the "Article Fee...	emsmith	15:21, 28 February 2012

Comments

#Comment by Catrope (talk | contribs) 22:01, 6 March 2012

Ouch :S that could've been bad

Status & tagging log

22:01, 6 March 2012 Catrope (talk | contribs) changed the status of r112604 [removed: new added: ok]