dépôts / lhc / web / wiklou.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e2a6fe5) | patch
SECURITY: Move 'UserGetRights' call before application of Session::getAllowedUserRights()
authorBrad Jorsch <bjorsch@wikimedia.org>
Thu, 7 Jul 2016 21:24:50 +0000 (17:24 -0400)
committerChad <chadh@wikimedia.org>
Tue, 23 Aug 2016 04:02:08 +0000 (04:02 +0000)
commit6c0aa7c26b752281df37765b61dde52919c4ed38
treeb59ef657d5c7dfbb5cfacfc344a88154ac633f41tree | snapshot
parente2a6fe571166160b9caed45f35910a7b9b50d2c0commit | diff
SECURITY: Move 'UserGetRights' call before application of Session::getAllowedUserRights()

This prevents hook functions from accidentally adding rights that should
be denied based on the session grants.

If some extension really needs to be able to override session grants,
add a new hook where the old call was, with documentation explicitly
warning about the security implications.

Bug: T139670
Change-Id: I6392cf4d7cc9d3ea96554b25bb5f8abb66e9031b
includes/user/User.php diff | blob | history
tests/phpunit/includes/user/UserTest.php diff | blob | history
Wiklou, le Wiki du Wiklou