r70135 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r70134‎ \| r70135 \| r70136 >
Date:	13:04, 29 July 2010
Author:	btongminh
Status:	ok (Comments)
Tags:
Comment:	Uploading to a protected title will allow the user to choose a new name instead of showing an error page * Made validateNameAndOverwrite protected and moved it to validateName since overwriting is now checked in verifyPermissions() * Fixed mime verification in case getTitle was not yet called * Checking for overwrites no longer uses $wgUser Other changes: * convertVerifyErrorToStatus now works * Allow passing the session key to stashSession in UploadFromStash as well
Modified paths:	/trunk/phase3/RELEASE-NOTES (modified) (history) /trunk/phase3/includes/specials/SpecialUpload.php (modified) (history) /trunk/phase3/includes/upload/UploadBase.php (modified) (history) /trunk/phase3/includes/upload/UploadFromStash.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/upload/UploadFromStash.php
—	—	@@ -65,7 +65,7 @@
66	66	/**
67	67	* There is no need to stash the image twice
68	68	*/
69		~~- public function stashSession() {~~
	69	+ public function stashSession( $key = null ) {
70	70	if ( !empty( $this->mSessionKey ) )
71	71	return $this->mSessionKey;
72	72	return parent::stashSession();
Index: trunk/phase3/includes/upload/UploadBase.php
—	—	@@ -25,7 +25,7 @@
26	26	const EMPTY_FILE = 3;
27	27	const MIN_LENGTH_PARTNAME = 4;
28	28	const ILLEGAL_FILENAME = 5;
29		~~- const OVERWRITE_EXISTING_FILE = 7;~~
	29	+ const OVERWRITE_EXISTING_FILE = 7; # Not used anymore; handled by verifyPermissions()
30	30	const FILETYPE_MISSING = 8;
31	31	const FILETYPE_BADTYPE = 9;
32	32	const VERIFICATION_ERROR = 10;
—	—	@@ -223,7 +223,7 @@
224	224	* Verify whether the upload is sane.
225	225	* @return mixed self::OK or else an array with error information
226	226	*/
227		~~- public function verifyUpload( ) {~~
	227	+ public function verifyUpload() {
228	228	/**
229	229	* If there was no filename or a zero size given, give up quick.
230	230	*/
—	—	@@ -258,7 +258,7 @@
259	259	/**
260	260	* Make sure this file can be created
261	261	*/
262		~~- $result = $this->validateNameAndOverwrite();~~
	262	+ $result = $this->validateName();
263	263	if( $result !== true ) {
264	264	return $result;
265	265	}
—	—	@@ -279,7 +279,7 @@
280	280	* @return mixed true if valid, otherwise and array with 'status'
281	281	* and other keys
282	282	**/
283		~~- public function validateNameAndOverwrite() {~~
	283	+ protected function validateName() {
284	284	$nt = $this->getTitle();
285	285	if( is_null( $nt ) ) {
286	286	$result = array( 'status' => $this->mTitleError );
—	—	@@ -293,16 +293,6 @@
294	294	}
295	295	$this->mDestName = $this->getLocalFile()->getName();
296	296
297		- /**
298		~~- * In some cases we may forbid overwriting of existing files.~~
299		~~- */~~
300		~~- $overwrite = $this->checkOverwrite();~~
301		~~- if( $overwrite !== true ) {~~
302		~~- return array(~~
303		~~- 'status' => self::OVERWRITE_EXISTING_FILE,~~
304		~~- 'overwrite' => $overwrite~~
305		~~- );~~
306		~~- }~~
307	297	return true;
308	298	}
309	299
—	—	@@ -347,6 +337,10 @@
348	338	* @return mixed true of the file is verified, array otherwise.
349	339	*/
350	340	protected function verifyFile() {
	341	+ # get the title, even though we are doing nothing with it, because
	342	+ # we need to populate mFinalExtension
	343	+ $nt = $this->getTitle();
	344	+
351	345	$this->mFileProps = File::getPropsFromPath( $this->mTempPath, $this->mFinalExtension );
352	346	$this->checkMacBinary();
353	347
—	—	@@ -382,7 +376,11 @@
383	377	}
384	378
385	379	/**
386		~~- * Check whether the user can edit, upload and create the image.~~
	380	+ * Check whether the user can edit, upload and create the image. This
	381	+ * checks only against the current title; if it returns errors, it may
	382	+ * very well be that another title will not give errors. Therefore
	383	+ * isAllowed() should be called as well for generic is-user-blocked or
	384	+ * can-user-upload checking.
387	385	*
388	386	* @param $user the User object to verify the permissions against
389	387	* @return mixed An array as returned by getUserPermissionsErrors or true
—	—	@@ -409,6 +407,12 @@
410	408	$permErrors = array_merge( $permErrors, wfArrayDiff2( $permErrorsCreate, $permErrors ) );
411	409	return $permErrors;
412	410	}
	411	+
	412	+ $overwriteError = $this->checkOverwrite( $user );
	413	+ if ( $overwriteError !== true ) {
	414	+ return array( array( $overwriteError ) );
	415	+ }
	416	+
413	417	return true;
414	418	}
415	419
—	—	@@ -1007,12 +1011,11 @@
1008	1012	*
1009	1013	* @return mixed true on success, error string on failure
1010	1014	*/
1011		~~- private function checkOverwrite() {~~
1012		~~- global $wgUser;~~
	1015	+ private function checkOverwrite( $user ) {
1013	1016	// First check whether the local file can be overwritten
1014	1017	$file = $this->getLocalFile();
1015	1018	if( $file->exists() ) {
1016		~~- if( !self::userCanReUpload( $wgUser, $file ) ) {~~
	1019	+ if( !self::userCanReUpload( $user, $file ) ) {
1017	1020	return 'fileexists-forbidden';
1018	1021	} else {
1019	1022	return true;
—	—	@@ -1023,7 +1026,7 @@
1024	1027	* wfFindFile finds a file, it exists in a shared repository.
1025	1028	*/
1026	1029	$file = wfFindFile( $this->getTitle() );
1027		~~- if ( $file && !$wgUser->isAllowed( 'reupload-shared' ) ) {~~
	1030	+ if ( $file && !$user->isAllowed( 'reupload-shared' ) ) {
1028	1031	return 'fileexists-shared-forbidden';
1029	1032	}
1030	1033
—	—	@@ -1187,8 +1190,8 @@
1188	1191	}
1189	1192
1190	1193	public function convertVerifyErrorToStatus( $error ) {
1191		~~- $args = func_get_args();~~
1192		~~- array_shift($args);~~
1193		~~- return Status::newFatal( $this->getVerificationErrorCode( $error ), $args );~~
	1194	+ $code = $error['status'];
	1195	+ unset( $code['status'] );
	1196	+ return Status::newFatal( $this->getVerificationErrorCode( $code ), $error );
1194	1197	}
1195	1198	}
Index: trunk/phase3/includes/specials/SpecialUpload.php
—	—	@@ -193,6 +193,7 @@
194	194	wfDebug( "Hook 'UploadForm:initial' broke output of the upload form" );
195	195	return;
196	196	}
	197	+
197	198
198	199	$this->showUploadForm( $this->getUploadForm() );
199	200	}
—	—	@@ -415,13 +416,6 @@
416	417	protected function processUpload() {
417	418	global $wgUser, $wgOut;
418	419
419		~~- // Verify permissions~~
420		~~- $permErrors = $this->mUpload->verifyPermissions( $wgUser );~~
421		~~- if( $permErrors !== true ) {~~
422		~~- $wgOut->showPermissionsErrorPage( $permErrors );~~
423		~~- return;~~
424		~~- }~~
425		-
426	420	// Fetch the file if required
427	421	$status = $this->mUpload->fetchFile();
428	422	if( !$status->isOK() ) {
—	—	@@ -445,6 +439,15 @@
446	440	$this->processVerificationError( $details );
447	441	return;
448	442	}
	443	+
	444	+ // Verify permissions for this title
	445	+ $permErrors = $this->mUpload->verifyPermissions( $wgUser );
	446	+ if( $permErrors !== true ) {
	447	+ $code = array_shift( $permErrors[0] );
	448	+ $this->showRecoverableUploadError( wfMsgExt( $code,
	449	+ 'parseinline', $permErrors[0] ) );
	450	+ return;
	451	+ }
449	452
450	453	$this->mLocalFile = $this->mUpload->getLocalFile();
451	454
—	—	@@ -549,10 +552,6 @@
550	553	$this->showRecoverableUploadError( wfMsgExt( 'illegalfilename',
551	554	'parseinline', $details['filtered'] ) );
552	555	break;
553		~~- case UploadBase::OVERWRITE_EXISTING_FILE:~~
554		~~- $this->showRecoverableUploadError( wfMsgExt( $details['overwrite'],~~
555		~~- 'parseinline' ) );~~
556		~~- break;~~
557	556	case UploadBase::FILETYPE_MISSING:
558	557	$this->showRecoverableUploadError( wfMsgExt( 'filetype-missing',
559	558	'parseinline' ) );
Index: trunk/phase3/RELEASE-NOTES
—	—	@@ -255,6 +255,8 @@
256	256	throw fatal errors
257	257	* (bug 23380) Uploaded files that are larger than allowed by PHP now show a
258	258	useful error message.
	259	+* Uploading to a protected title will allow the user to choose a new name
	260	+ instead of showing an error page
259	261
260	262	=== API changes in 1.17 ===
261	263	* (bug 22738) Allow filtering by action type on query=logevent.

Follow-up revisions

Revision	Commit summary	Author	Date
r70137	Made asynchronous upload by URL working, partly. Hid it behind $wgAllowAsyncC...	btongminh	13:53, 29 July 2010
r76103	Add MIME type validation fix from r70135. Not merging r70135 itself, has a lo...	catrope	15:08, 5 November 2010

Comments

#Comment by Reedy (talk | contribs) 20:53, 14 March 2011

bug 28034 seems to have maybe come from here...

Status & tagging log

20:10, 20 March 2011 Catrope (talk | contribs) changed the tags for r70135 [removed: trevor]
07:20, 8 February 2011 Catrope (talk | contribs) changed the status of r70135 [removed: new added: ok]
00:18, 8 February 2011 RobLa-WMF (talk | contribs) changed the tags for r70135 [removed: roan added: trevor]
01:24, 26 January 2011 MarkAHershberger (talk | contribs) changed the tags for r70135 [added: roan]