SECURITY: Add permission check for user is permitted to view the log type

Bug: T222036
Change-Id: I7584ee8db23a8834bbab21e355cab9857a293f72

diff --git a/includes/changetags/ChangeTagsLogItem.php b/includes/changetags/ChangeTagsLogItem.php
index a248c6e..1b9fd92 100644 (file)
--- a/includes/changetags/ChangeTagsLogItem.php
+++ b/includes/changetags/ChangeTagsLogItem.php
@@ -49,7 +49,7 @@ class ChangeTagsLogItem extends RevisionItemBase {
        }
 
        public function canView() {
        }
 
        public function canView() {

-               return LogEventsList::userCan( $this->row, Revision::DELETED_RESTRICTED, $this->list->getUser() );
+               return LogEventsList::userCan( $this->row, Revision::SUPPRESSED_ALL, $this->list->getUser() );

        }
 
        public function canViewContent() {
        }
 
        public function canViewContent() {

diff --git a/includes/specials/SpecialEditTags.php b/includes/specials/SpecialEditTags.php
index 60d5fd7..d11cf64 100644 (file)
--- a/includes/specials/SpecialEditTags.php
+++ b/includes/specials/SpecialEditTags.php
@@ -225,6 +225,9 @@ class SpecialEditTags extends UnlistedSpecialPage {
                // phpcs:ignore Generic.CodeAnalysis.ForLoopWithTestFunctionCall
                for ( $list->reset(); $list->current(); $list->next() ) {
                        $item = $list->current();
                // phpcs:ignore Generic.CodeAnalysis.ForLoopWithTestFunctionCall
                for ( $list->reset(); $list->current(); $list->next() ) {
                        $item = $list->current();

+                       if ( !$item->canView() ) {
+                               throw new ErrorPageError( 'permissionserrors', 'tags-update-no-permission' );
+                       }

                        $numRevisions++;
                        $out->addHTML( $item->getHTML() );
                }
                        $numRevisions++;
                        $out->addHTML( $item->getHTML() );
                }