/**
* API for MediaWiki 1.12+
*
- * Created on May 10, 2010
- *
* Copyright © 2010 Sam Reed
* Copyright © 2008 Vasiliev Victor vasilvv@gmail.com,
* based on ApiQueryAllPages.php
* @file
*/
+use MediaWiki\Revision\RevisionRecord;
+
/**
* Query module to enumerate all deleted files.
*
}
public function execute() {
- // Before doing anything at all, let's check permissions
- $this->checkUserRightsAny( 'deletedhistory' );
-
$user = $this->getUser();
$db = $this->getDB();
- $commentStore = new CommentStore( 'fa_description' );
+ $commentStore = CommentStore::getStore();
$params = $this->extractRequestParams();
$fld_bitdepth = isset( $prop['bitdepth'] );
$fld_archivename = isset( $prop['archivename'] );
+ if ( $fld_description &&
+ !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' )
+ ) {
+ $this->dieWithError( 'apierror-cantview-deleted-description', 'permissiondenied' );
+ }
+ if ( $fld_metadata &&
+ !$this->getPermissionManager()->userHasAnyRight( $user, 'deletedtext', 'undelete' )
+ ) {
+ $this->dieWithError( 'apierror-cantview-deleted-metadata', 'permissiondenied' );
+ }
+
$fileQuery = ArchivedFile::getQueryInfo();
$this->addTables( $fileQuery['tables'] );
$this->addFields( $fileQuery['fields'] );
}
if ( $sha1 ) {
$this->addWhereFld( 'fa_sha1', $sha1 );
+ // Paranoia: avoid brute force searches (T19342)
+ if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedtext' ) ) {
+ $bitmask = File::DELETED_FILE;
+ } elseif ( !$this->getPermissionManager()
+ ->userHasAnyRight( $user, 'suppressrevision', 'viewsuppressed' )
+ ) {
+ $bitmask = File::DELETED_FILE | File::DELETED_RESTRICTED;
+ } else {
+ $bitmask = 0;
+ }
+ if ( $bitmask ) {
+ $this->addWhere( $this->getDB()->bitAnd( 'fa_deleted', $bitmask ) . " != $bitmask" );
+ }
}
}
- // Exclude files this user can't view.
- if ( !$user->isAllowed( 'deletedtext' ) ) {
- $bitmask = File::DELETED_FILE;
- } elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
- $bitmask = File::DELETED_FILE | File::DELETED_RESTRICTED;
- } else {
- $bitmask = 0;
- }
- if ( $bitmask ) {
- $this->addWhere( $this->getDB()->bitAnd( 'fa_deleted', $bitmask ) . " != $bitmask" );
- }
-
$limit = $params['limit'];
$this->addOption( 'LIMIT', $limit + 1 );
$sort = ( $params['dir'] == 'descending' ? ' DESC' : '' );
break;
}
+ $canViewFile = RevisionRecord::userCanBitfield( $row->fa_deleted, File::DELETED_FILE, $user );
+
$file = [];
$file['id'] = (int)$row->fa_id;
$file['name'] = $row->fa_name;
self::addTitleInfo( $file, $title );
if ( $fld_description &&
- Revision::userCanBitfield( $row->fa_deleted, File::DELETED_COMMENT, $user )
+ RevisionRecord::userCanBitfield( $row->fa_deleted, File::DELETED_COMMENT, $user )
) {
- $file['description'] = $commentStore->getComment( $row )->text;
+ $file['description'] = $commentStore->getComment( 'fa_description', $row )->text;
if ( isset( $prop['parseddescription'] ) ) {
$file['parseddescription'] = Linker::formatComment(
$file['description'], $title );
}
}
if ( $fld_user &&
- Revision::userCanBitfield( $row->fa_deleted, File::DELETED_USER, $user )
+ RevisionRecord::userCanBitfield( $row->fa_deleted, File::DELETED_USER, $user )
) {
$file['userid'] = (int)$row->fa_user;
$file['user'] = $row->fa_user_text;
}
- if ( $fld_sha1 ) {
+ if ( $fld_sha1 && $canViewFile ) {
$file['sha1'] = Wikimedia\base_convert( $row->fa_sha1, 36, 16, 40 );
}
if ( $fld_timestamp ) {
$file['timestamp'] = wfTimestamp( TS_ISO_8601, $row->fa_timestamp );
}
- if ( $fld_size || $fld_dimensions ) {
+ if ( ( $fld_size || $fld_dimensions ) && $canViewFile ) {
$file['size'] = $row->fa_size;
$pageCount = ArchivedFile::newFromRow( $row )->pageCount();
$file['height'] = $row->fa_height;
$file['width'] = $row->fa_width;
}
- if ( $fld_mediatype ) {
+ if ( $fld_mediatype && $canViewFile ) {
$file['mediatype'] = $row->fa_media_type;
}
- if ( $fld_metadata ) {
+ if ( $fld_metadata && $canViewFile ) {
$file['metadata'] = $row->fa_metadata
? ApiQueryImageInfo::processMetaData( unserialize( $row->fa_metadata ), $result )
: null;
}
- if ( $fld_bitdepth ) {
+ if ( $fld_bitdepth && $canViewFile ) {
$file['bitdepth'] = $row->fa_bits;
}
- if ( $fld_mime ) {
+ if ( $fld_mime && $canViewFile ) {
$file['mime'] = "$row->fa_major_mime/$row->fa_minor_mime";
}
if ( $fld_archivename && !is_null( $row->fa_archive_name ) ) {