dépôts
/
lhc
/
web
/
wiklou.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Merge "Add a run mode to $wgDisableQueryPageUpdate"
[lhc/web/wiklou.git]
/
includes
/
AjaxDispatcher.php
diff --git
a/includes/AjaxDispatcher.php
b/includes/AjaxDispatcher.php
index
5f825c8
..
ea10a2e
100644
(file)
--- a/
includes/AjaxDispatcher.php
+++ b/
includes/AjaxDispatcher.php
@@
-104,6
+104,9
@@
class AjaxDispatcher {
* they should be carefully handled in the function processing the
* request.
*
* they should be carefully handled in the function processing the
* request.
*
+ * phan-taint-check triggers as it is not smart enough to understand
+ * the early return if func_name not in AjaxExportList.
+ * @suppress SecurityCheck-XSS
* @param User $user
*/
function performAction( User $user ) {
* @param User $user
*/
function performAction( User $user ) {
@@
-111,6
+114,7
@@
class AjaxDispatcher {
return;
}
return;
}
+ $permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
if ( !in_array( $this->func_name, $this->config->get( 'AjaxExportList' ) ) ) {
wfDebug( __METHOD__ . ' Bad Request for unknown function ' . $this->func_name . "\n" );
wfHttpError(
if ( !in_array( $this->func_name, $this->config->get( 'AjaxExportList' ) ) ) {
wfDebug( __METHOD__ . ' Bad Request for unknown function ' . $this->func_name . "\n" );
wfHttpError(
@@
-118,7
+122,8
@@
class AjaxDispatcher {
'Bad Request',
"unknown function " . $this->func_name
);
'Bad Request',
"unknown function " . $this->func_name
);
- } elseif ( !User::isEveryoneAllowed( 'read' ) && !$user->isAllowed( 'read' ) ) {
+ } elseif ( !$permissionManager->isEveryoneAllowed( 'read' ) &&
+ !$permissionManager->userHasRight( $user, 'read' ) ) {
wfHttpError(
403,
'Forbidden',
wfHttpError(
403,
'Forbidden',