Merge "SECURITY: Add permission check for suppressed account" into REL1_31

author Jforrester <jforrester@wikimedia.org>

Wed, 21 Aug 2019 16:57:32 +0000 (16:57 +0000)

committer Gerrit Code Review <gerrit@wikimedia.org>

Wed, 21 Aug 2019 16:57:32 +0000 (16:57 +0000)
author Jforrester <jforrester@wikimedia.org>
Wed, 21 Aug 2019 16:57:32 +0000 (16:57 +0000)
committer Gerrit Code Review <gerrit@wikimedia.org>
Wed, 21 Aug 2019 16:57:32 +0000 (16:57 +0000)
diff --git a/includes/specials/SpecialRedirect.php b/includes/specials/SpecialRedirect.php

index e827911..8006048 100644 (file)
--- a/includes/specials/SpecialRedirect.php
+++ b/includes/specials/SpecialRedirect.php
@@ -79,6 +79,11 @@ class SpecialRedirect extends FormSpecialPage {
                 if ( $user->isAnon() ) {
                         return null;
                 }
+               if ( $user->isHidden() && !MediaWikiServices::getInstance()->getPermissionManager()
+                       ->userHasRight( $this->getUser(), 'hideuser' )
+               ) {
+                       throw new PermissionsError( null, [ 'badaccess-group0' ] );
+               }
                 $userpage = Title::makeTitle( NS_USER, $username );
  
                 return $userpage->getFullURL( '', false, PROTO_CURRENT );
author	Jforrester <jforrester@wikimedia.org>
	Wed, 21 Aug 2019 16:57:32 +0000 (16:57 +0000)
committer	Gerrit Code Review <gerrit@wikimedia.org>
	Wed, 21 Aug 2019 16:57:32 +0000 (16:57 +0000)