Index: trunk/phase3/includes/Article.php |
— | — | @@ -2188,8 +2188,10 @@ |
2189 | 2189 | public function doRollback( $fromP, $summary, $token, $bot, &$resultDetails ) { |
2190 | 2190 | global $wgUser, $wgUseRCPatrol; |
2191 | 2191 | $resultDetails = null; |
2192 | | - |
2193 | | - if( $wgUser->isAllowed( 'rollback' ) ) { |
| 2192 | + |
| 2193 | + # Just in case it's being called from elsewhere |
| 2194 | + |
| 2195 | + if( $wgUser->isAllowed( 'rollback' ) && $this->mTitle->userCan( 'edit' ) ) { |
2194 | 2196 | if( $wgUser->isBlocked() ) { |
2195 | 2197 | return self::BLOCKED; |
2196 | 2198 | } |
— | — | @@ -2200,6 +2202,7 @@ |
2201 | 2203 | if ( wfReadOnly() ) { |
2202 | 2204 | return self::READONLY; |
2203 | 2205 | } |
| 2206 | + |
2204 | 2207 | if( !$wgUser->matchEditToken( $token, array( $this->mTitle->getPrefixedText(), $fromP ) ) ) |
2205 | 2208 | return self::BAD_TOKEN; |
2206 | 2209 | |
— | — | @@ -2282,6 +2285,17 @@ |
2283 | 2286 | global $wgUser, $wgOut, $wgRequest, $wgUseRCPatrol; |
2284 | 2287 | |
2285 | 2288 | $details = null; |
| 2289 | + |
| 2290 | + # Skip the permissions-checking in doRollback() itself, by checking permissions here. |
| 2291 | + |
| 2292 | + $perm_errors = array_merge( $this->mTitle->getUserPermissionsErrors( 'edit', $wgUser ), |
| 2293 | + $this->mTitle->getUserPermissionsErrors( 'rollback', $wgUser ) ); |
| 2294 | + |
| 2295 | + if (count($perm_errors)) { |
| 2296 | + $wgOut->showPermissionsErrorPage( $perm_errors ); |
| 2297 | + return; |
| 2298 | + } |
| 2299 | + |
2286 | 2300 | $result = $this->doRollback( |
2287 | 2301 | $wgRequest->getVal( 'from' ), |
2288 | 2302 | $wgRequest->getText( 'summary' ), |
Index: trunk/phase3/RELEASE-NOTES |
— | — | @@ -38,6 +38,8 @@ |
39 | 39 | message, the level of protection. |
40 | 40 | * (bug 9611) Supply the blocker and reason for the cantcreateaccounttext |
41 | 41 | message. |
| 42 | +* (bug 8759) Fixed bug where rollback was allowed on protected pages for wikis |
| 43 | + where rollback is given to non-sysops. |
42 | 44 | |
43 | 45 | === API changes in 1.12 === |
44 | 46 | |