r25944 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r25943‎ \| r25944 \| r25945 >
Date:	20:04, 19 September 2007
Author:	daniel
Status:	old
Tags:
Comment:	security fix (read-protection): use anon user privileges when checking what should be shown in the RC RSS feed. Previously, a 'privileged' version might have been cached and served to everyone.
Modified paths:	/trunk/phase3/includes/SpecialRecentchanges.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/SpecialRecentchanges.php
—	—	@@ -622,7 +622,13 @@
623	623	$skin = $wgUser->getSkin();
624	624	$completeText = '<p>' . $skin->formatComment( $comment ) . "</p>\n";
625	625
626		~~- if( $title->getNamespace() >= 0 && $title->userCan( 'read' ) ) {~~
	626	+ //NOTE: Check permissions for anonymous users, not current user.
	627	+ // No "privileged" version should end up in the cache.
	628	+ // Most feed readers will not log in anway.
	629	+ $anon = new User();
	630	+ $accErrors = $title->getUserPermissionsErrors( 'read', $anon, true );
	631	+
	632	+ if( $title->getNamespace() >= 0 && !$accErrors ) {
627	633	if( $oldid ) {
628	634	wfProfileIn( "$fname-dodiff" );
629	635

Follow-up revisions

Revision	Commit summary	Author	Date
r26015	Merged revisions 25932-26011 via svnmerge from...	david	21:05, 21 September 2007

Status & tagging log

15:20, 12 September 2011 Meno25 (talk | contribs) changed the status of r25944 [removed: ok added: old]