SECURITY: Add permission check for suppressed account

Bug: T230402
Change-Id: I6a13859be81e5c746bdf0993eb5416fecdac2306
(cherry picked from commit 4356572546b2b4e8eefda9bf10943ba1b12526b9)

diff --git a/includes/specials/SpecialRedirect.php b/includes/specials/SpecialRedirect.php
index e827911..8006048 100644 (file)
--- a/includes/specials/SpecialRedirect.php
+++ b/includes/specials/SpecialRedirect.php
@@ -79,6 +79,11 @@ class SpecialRedirect extends FormSpecialPage {
                if ( $user->isAnon() ) {
                        return null;
                }
                if ( $user->isAnon() ) {
                        return null;
                }

+               if ( $user->isHidden() && !MediaWikiServices::getInstance()->getPermissionManager()
+                       ->userHasRight( $this->getUser(), 'hideuser' )
+               ) {
+                       throw new PermissionsError( null, [ 'badaccess-group0' ] );
+               }

                $userpage = Title::makeTitle( NS_USER, $username );
 
                return $userpage->getFullURL( '', false, PROTO_CURRENT );
                $userpage = Title::makeTitle( NS_USER, $username );
 
                return $userpage->getFullURL( '', false, PROTO_CURRENT );