SECURITY: Do not show log action if revdeleted

author csteipp <csteipp@wikimedia.org>

Wed, 29 Oct 2014 15:41:20 +0000 (08:41 -0700)

committer mglaser <glaser@hallowelt.biz>

Thu, 27 Nov 2014 01:15:10 +0000 (02:15 +0100)
author csteipp <csteipp@wikimedia.org>
Wed, 29 Oct 2014 15:41:20 +0000 (08:41 -0700)
committer mglaser <glaser@hallowelt.biz>
Thu, 27 Nov 2014 01:15:10 +0000 (02:15 +0100)
diff --git a/includes/api/ApiQueryLogEvents.php b/includes/api/ApiQueryLogEvents.php

index 917332b..5f9fae4 100644 (file)
--- a/includes/api/ApiQueryLogEvents.php
+++ b/includes/api/ApiQueryLogEvents.php
@@ -200,7 +200,8 @@ class ApiQueryLogEvents extends ApiQueryBase {
                 }
  
                 // Paranoia: avoid brute force searches (bug 17342)
-               if ( $params['namespace'] !== null || !is_null( $title ) || !is_null( $user ) ) {
+               $hideActions = $params['namespace'] !== null || !is_null( $title ) || !is_null( $params['action'] );
+               if ( $hideActions || !is_null( $user ) ) {
                         if ( !$this->getUser()->isAllowed( 'deletedhistory' ) ) {
                                 $titleBits = LogPage::DELETED_ACTION;
                                 $userBits = LogPage::DELETED_USER;
@@ -211,7 +212,7 @@ class ApiQueryLogEvents extends ApiQueryBase {
                                 $titleBits = 0;
                                 $userBits = 0;
                         }
-                       if ( ( $params['namespace'] !== null || !is_null( $title ) ) && $titleBits ) {
+                       if ( $hideActions && $titleBits ) {
                                 $this->addWhere( $db->bitAnd( 'log_deleted', $titleBits ) . " != $titleBits" );
                         }
                         if ( !is_null( $user ) && $userBits ) {
@@ -372,12 +373,18 @@ class ApiQueryLogEvents extends ApiQueryBase {
                         $title = Title::makeTitle( $row->log_namespace, $row->log_title );
                 }
  
-               if ( $this->fld_title || $this->fld_ids || $this->fld_details && $row->log_params !== '' ) {
+               if ( $this->fld_title || $this->fld_ids || $this->fld_type
+                       || $this->fld_details && $row->log_params !== ''
+               ) {
                         if ( LogEventsList::isDeleted( $row, LogPage::DELETED_ACTION ) ) {
                                 $vals['actionhidden'] = '';
                                 $anyHidden = true;
                         }
                         if ( LogEventsList::userCan( $row, LogPage::DELETED_ACTION, $user ) ) {
+
+                               if ( $this->fld_type ) {
+                                       $vals['action'] = $row->log_action;
+                               }
                                 if ( $this->fld_title ) {
                                         ApiQueryBase::addTitleInfo( $vals, $title );
                                 }
@@ -399,9 +406,8 @@ class ApiQueryLogEvents extends ApiQueryBase {
                         }
                 }
  
-               if ( $this->fld_type || $this->fld_action ) {
+               if ( $this->fld_type ) {
                         $vals['type'] = $row->log_type;
-                       $vals['action'] = $row->log_action;
                 }
  
                 if ( $this->fld_user || $this->fld_userid ) {
author	csteipp <csteipp@wikimedia.org>
	Wed, 29 Oct 2014 15:41:20 +0000 (08:41 -0700)
committer	mglaser <glaser@hallowelt.biz>
	Thu, 27 Nov 2014 01:15:10 +0000 (02:15 +0100)