X-Git-Url: http://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FAjaxDispatcher.php;h=ea10a2e8638e59bdfb4277efbbc29dfda422018d;hb=b23cab80f73ac73a08c0f83db60d6b172623df75;hp=5f825c8b5ac7bbf1b5cb09f5e00e9db66d95fd33;hpb=138298b397b308ad6e4bfc7088884d90e8ac1e37;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php
index 5f825c8b5a..ea10a2e863 100644
--- a/includes/AjaxDispatcher.php
+++ b/includes/AjaxDispatcher.php
@@ -104,6 +104,9 @@ class AjaxDispatcher {
 	 * they should be carefully handled in the function processing the
 	 * request.
 	 *
+	 * phan-taint-check triggers as it is not smart enough to understand
+	 * the early return if func_name not in AjaxExportList.
+	 * @suppress SecurityCheck-XSS
 	 * @param User $user
 	 */
 	function performAction( User $user ) {
@@ -111,6 +114,7 @@ class AjaxDispatcher {
 			return;
 		}
 
+		$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
 		if ( !in_array( $this->func_name, $this->config->get( 'AjaxExportList' ) ) ) {
 			wfDebug( __METHOD__ . ' Bad Request for unknown function ' . $this->func_name . "\n" );
 			wfHttpError(
@@ -118,7 +122,8 @@ class AjaxDispatcher {
 				'Bad Request',
 				"unknown function " . $this->func_name
 			);
-		} elseif ( !User::isEveryoneAllowed( 'read' ) && !$user->isAllowed( 'read' ) ) {
+		} elseif ( !$permissionManager->isEveryoneAllowed( 'read' ) &&
+				   !$permissionManager->userHasRight( $user, 'read' ) ) {
 			wfHttpError(
 				403,
 				'Forbidden',