switch ( $this->mode ) {
case 'get':
- $this->func_name = isset( $_GET["rs"] ) ? $_GET["rs"] : '';
+ $this->func_name = $_GET["rs"] ?? '';
if ( !empty( $_GET["rsargs"] ) ) {
$this->args = $_GET["rsargs"];
} else {
}
break;
case 'post':
- $this->func_name = isset( $_POST["rs"] ) ? $_POST["rs"] : '';
+ $this->func_name = $_POST["rs"] ?? '';
if ( !empty( $_POST["rsargs"] ) ) {
$this->args = $_POST["rsargs"];
} else {
* they should be carefully handled in the function processing the
* request.
*
+ * phan-taint-check triggers as it is not smart enough to understand
+ * the early return if func_name not in AjaxExportList.
+ * @suppress SecurityCheck-XSS
* @param User $user
*/
function performAction( User $user ) {
return;
}
+ $permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
if ( !in_array( $this->func_name, $this->config->get( 'AjaxExportList' ) ) ) {
wfDebug( __METHOD__ . ' Bad Request for unknown function ' . $this->func_name . "\n" );
wfHttpError(
'Bad Request',
"unknown function " . $this->func_name
);
- } elseif ( !User::isEveryoneAllowed( 'read' ) && !$user->isAllowed( 'read' ) ) {
+ } elseif ( !$permissionManager->isEveryoneAllowed( 'read' ) &&
+ !$permissionManager->userHasRight( $user, 'read' ) ) {
wfHttpError(
403,
'Forbidden',