);
}
+ /**
+ * Is this a message which can contain raw HTML?
+ *
+ * @return bool
+ * @since 1.32
+ */
+ public function isRawHtmlMessage() {
+ global $wgRawHtmlMessages;
+
+ if ( !$this->inNamespace( NS_MEDIAWIKI ) ) {
+ return false;
+ }
+ $message = lcfirst( $this->getRootTitle()->getDBkey() );
+ return in_array( $message, $wgRawHtmlMessages, true );
+ }
+
/**
* Is this a talk page of some sort?
*
if ( $nsText === false ) {
// See T165149. Awkward, but better than erroneously linking to the main namespace.
$nsText = MediaWikiServices::getInstance()->getContentLanguage()->
- getNsText( NS_SPECIAL ) . ":Badtitle/NS{$this->mNamespace}";
+ getNsText( NS_SPECIAL ) . ":Badtitle/NS{$this->mNamespace}";
}
$p .= $nsText . ':';
$error = [ 'sitejsonprotected', $action ];
} elseif ( $this->isSiteJsConfigPage() && !$user->isAllowed( 'editsitejs' ) ) {
$error = [ 'sitejsprotected', $action ];
+ } elseif ( $this->isRawHtmlMessage() ) {
+ // Raw HTML can be used to deploy CSS or JS so require rights for both.
+ if ( !$user->isAllowed( 'editsitejs' ) ) {
+ $error = [ 'sitejsprotected', $action ];
+ } elseif ( !$user->isAllowed( 'editsitecss' ) ) {
+ $error = [ 'sitecssprotected', $action ];
+ }
}
if ( $error ) {
# Protect css/json/js subpages of user pages
# XXX: this might be better using restrictions
- if ( $action != 'patrol' ) {
- if ( preg_match( '/^' . preg_quote( $user->getName(), '/' ) . '\//', $this->mTextform ) ) {
- if (
- $this->isUserCssConfigPage()
- && !$user->isAllowedAny( 'editmyusercss', 'editusercss' )
- ) {
- $errors[] = [ 'mycustomcssprotected', $action ];
- } elseif (
- $this->isUserJsonConfigPage()
- && !$user->isAllowedAny( 'editmyuserjson', 'edituserjson' )
- ) {
- $errors[] = [ 'mycustomjsonprotected', $action ];
- } elseif (
- $this->isUserJsConfigPage()
- && !$user->isAllowedAny( 'editmyuserjs', 'edituserjs' )
- ) {
- $errors[] = [ 'mycustomjsprotected', $action ];
- }
- } else {
+ if ( $action === 'patrol' ) {
+ return [];
+ }
+
+ if ( preg_match( '/^' . preg_quote( $user->getName(), '/' ) . '\//', $this->mTextform ) ) {
+ // Users need editmyuser* to edit their own CSS/JSON/JS subpages.
+ if (
+ $this->isUserCssConfigPage()
+ && !$user->isAllowedAny( 'editmyusercss', 'editusercss' )
+ ) {
+ $errors[] = [ 'mycustomcssprotected', $action ];
+ } elseif (
+ $this->isUserJsonConfigPage()
+ && !$user->isAllowedAny( 'editmyuserjson', 'edituserjson' )
+ ) {
+ $errors[] = [ 'mycustomjsonprotected', $action ];
+ } elseif (
+ $this->isUserJsConfigPage()
+ && !$user->isAllowedAny( 'editmyuserjs', 'edituserjs' )
+ ) {
+ $errors[] = [ 'mycustomjsprotected', $action ];
+ }
+ } else {
+ // Users need editmyuser* to edit their own CSS/JSON/JS subpages, except for
+ // deletion/suppression which cannot be used for attacks and we want to avoid the
+ // situation where an unprivileged user can post abusive content on their subpages
+ // and only very highly privileged users could remove it.
+ if ( !in_array( $action, [ 'delete', 'deleterevision', 'suppressrevision' ], true ) ) {
if (
$this->isUserCssConfigPage()
&& !$user->isAllowed( 'editusercss' )
$id = $this->getArticleID();
if ( $id ) {
$cache = ObjectCache::getMainWANInstance();
+ $fname = __METHOD__;
$rows = $cache->getWithSetCallback(
// Page protections always leave a new null revision
$cache->makeKey( 'page-restrictions', $id, $this->getLatestRevID() ),
$cache::TTL_DAY,
- function ( $curValue, &$ttl, array &$setOpts ) {
+ function ( $curValue, &$ttl, array &$setOpts ) use ( $fname ) {
$dbr = wfGetDB( DB_REPLICA );
$setOpts += Database::getCacheSetOptions( $dbr );
'page_restrictions',
[ 'pr_type', 'pr_expiry', 'pr_level', 'pr_cascade' ],
[ 'pr_page' => $this->getArticleID() ],
- __METHOD__
+ $fname
)
);
}
$revQuery['joins']
);
if ( $row ) {
- return new Revision( $row );
+ return new Revision( $row, 0, $this );
}
}
return null;
dépôts / lhc / web / wiklou.git / blobdiff