Bump and prep 1.34.1

[lhc/web/wiklou.git] / includes / AjaxDispatcher.php

diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php
index 5f825c8..ea10a2e 100644 (file)
--- a/includes/AjaxDispatcher.php
+++ b/includes/AjaxDispatcher.php
@@ -104,6 +104,9 @@ class AjaxDispatcher {
         * they should be carefully handled in the function processing the
         * request.
         *
+        * phan-taint-check triggers as it is not smart enough to understand
+        * the early return if func_name not in AjaxExportList.
+        * @suppress SecurityCheck-XSS
         * @param User $user
         */
        function performAction( User $user ) {
@@ -111,6 +114,7 @@ class AjaxDispatcher {
                        return;
                }
 
+               $permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
                if ( !in_array( $this->func_name, $this->config->get( 'AjaxExportList' ) ) ) {
                        wfDebug( __METHOD__ . ' Bad Request for unknown function ' . $this->func_name . "\n" );
                        wfHttpError(
@@ -118,7 +122,8 @@ class AjaxDispatcher {
                                'Bad Request',
                                "unknown function " . $this->func_name
                        );
-               } elseif ( !User::isEveryoneAllowed( 'read' ) && !$user->isAllowed( 'read' ) ) {
+               } elseif ( !$permissionManager->isEveryoneAllowed( 'read' ) &&
+                                  !$permissionManager->userHasRight( $user, 'read' ) ) {
                        wfHttpError(
                                403,
                                'Forbidden',