/** @var bool Boolean for initialisation on demand */
public $mRestrictionsLoaded = false;
- /** @var string Text form including namespace/interwiki, initialised on demand */
- protected $mPrefixedText = null;
+ /**
+ * Text form including namespace/interwiki, initialised on demand
+ *
+ * Only public to share cache with TitleFormatter
+ *
+ * @private
+ * @var string
+ */
+ public $prefixedText = null;
/** @var mixed Cached value for getTitleProtection (create protection) */
public $mTitleProtection;
*/
public function isSpecial( $name ) {
if ( $this->isSpecialPage() ) {
- list( $thisName, /* $subpage */ ) = SpecialPageFactory::resolveAlias( $this->mDbkeyform );
+ list( $thisName, /* $subpage */ ) =
+ MediaWikiServices::getInstance()->getSpecialPageFactory()->
+ resolveAlias( $this->mDbkeyform );
if ( $name == $thisName ) {
return true;
}
*/
public function fixSpecialName() {
if ( $this->isSpecialPage() ) {
- list( $canonicalName, $par ) = SpecialPageFactory::resolveAlias( $this->mDbkeyform );
+ $spFactory = MediaWikiServices::getInstance()->getSpecialPageFactory();
+ list( $canonicalName, $par ) = $spFactory->resolveAlias( $this->mDbkeyform );
if ( $canonicalName ) {
- $localName = SpecialPageFactory::getLocalNameFor( $canonicalName, $par );
+ $localName = $spFactory->getLocalNameFor( $canonicalName, $par );
if ( $localName != $this->mDbkeyform ) {
return self::makeTitle( NS_SPECIAL, $localName );
}
);
}
+ /**
+ * Is this a message which can contain raw HTML?
+ *
+ * @return bool
+ * @since 1.32
+ */
+ public function isRawHtmlMessage() {
+ global $wgRawHtmlMessages;
+
+ if ( $this->inNamespace( NS_MEDIAWIKI ) ) {
+ return false;
+ }
+ $message = lcfirst( $this->getRootText() );
+ return in_array( $message, $wgRawHtmlMessages, true );
+ }
+
/**
* Is this a talk page of some sort?
*
* @return string The prefixed title, with spaces
*/
public function getPrefixedText() {
- if ( $this->mPrefixedText === null ) {
+ if ( $this->prefixedText === null ) {
$s = $this->prefix( $this->mTextform );
$s = strtr( $s, '_', ' ' );
- $this->mPrefixedText = $s;
+ $this->prefixedText = $s;
}
- return $this->mPrefixedText;
+ return $this->prefixedText;
}
/**
$error = [ 'sitejsonprotected', $action ];
} elseif ( $this->isSiteJsConfigPage() && !$user->isAllowed( 'editsitejs' ) ) {
$error = [ 'sitejsprotected', $action ];
+ } elseif ( $this->isRawHtmlMessage() ) {
+ // Raw HTML can be used to deploy CSS or JS so require rights for both.
+ if ( !$user->isAllowed( 'editsitejs' ) ) {
+ $error = [ 'sitejsprotected', $action ];
+ } elseif ( !$user->isAllowed( 'editsitecss' ) ) {
+ $error = [ 'sitecssprotected', $action ];
+ }
}
if ( $error ) {
# Protect css/json/js subpages of user pages
# XXX: this might be better using restrictions
- if ( $action != 'patrol' ) {
- if ( preg_match( '/^' . preg_quote( $user->getName(), '/' ) . '\//', $this->mTextform ) ) {
- if (
- $this->isUserCssConfigPage()
- && !$user->isAllowedAny( 'editmyusercss', 'editusercss' )
- ) {
- $errors[] = [ 'mycustomcssprotected', $action ];
- } elseif (
- $this->isUserJsonConfigPage()
- && !$user->isAllowedAny( 'editmyuserjson', 'edituserjson' )
- ) {
- $errors[] = [ 'mycustomjsonprotected', $action ];
- } elseif (
- $this->isUserJsConfigPage()
- && !$user->isAllowedAny( 'editmyuserjs', 'edituserjs' )
- ) {
- $errors[] = [ 'mycustomjsprotected', $action ];
- }
- } else {
+ if ( $action === 'patrol' ) {
+ return [];
+ }
+
+ if ( preg_match( '/^' . preg_quote( $user->getName(), '/' ) . '\//', $this->mTextform ) ) {
+ // Users need editmyuser* to edit their own CSS/JSON/JS subpages.
+ if (
+ $this->isUserCssConfigPage()
+ && !$user->isAllowedAny( 'editmyusercss', 'editusercss' )
+ ) {
+ $errors[] = [ 'mycustomcssprotected', $action ];
+ } elseif (
+ $this->isUserJsonConfigPage()
+ && !$user->isAllowedAny( 'editmyuserjson', 'edituserjson' )
+ ) {
+ $errors[] = [ 'mycustomjsonprotected', $action ];
+ } elseif (
+ $this->isUserJsConfigPage()
+ && !$user->isAllowedAny( 'editmyuserjs', 'edituserjs' )
+ ) {
+ $errors[] = [ 'mycustomjsprotected', $action ];
+ }
+ } else {
+ // Users need editmyuser* to edit their own CSS/JSON/JS subpages, except for
+ // deletion/suppression which cannot be used for attacks and we want to avoid the
+ // situation where an unprivileged user can post abusive content on their subpages
+ // and only very highly privileged users could remove it.
+ if ( !in_array( $action, [ 'delete', 'deleterevision', 'suppressrevision' ], true ) ) {
if (
$this->isUserCssConfigPage()
&& !$user->isAllowed( 'editusercss' )
} elseif ( $this->isSpecialPage() ) {
# If it's a special page, ditch the subpage bit and check again
$name = $this->mDbkeyform;
- list( $name, /* $subpage */ ) = SpecialPageFactory::resolveAlias( $name );
+ list( $name, /* $subpage */ ) =
+ MediaWikiServices::getInstance()->getSpecialPageFactory()->
+ resolveAlias( $name );
if ( $name ) {
$pure = SpecialPage::getTitleFor( $name )->getPrefixedText();
if ( in_array( $pure, $wgWhitelistRead, true ) ) {
return (bool)wfFindFile( $this );
case NS_SPECIAL:
// valid special page
- return SpecialPageFactory::exists( $this->mDbkeyform );
+ return MediaWikiServices::getInstance()->getSpecialPageFactory()->
+ exists( $this->mDbkeyform );
case NS_MAIN:
// selflink, possibly with fragment
return $this->mDbkeyform == '';