X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=blobdiff_plain;f=includes%2FAjaxDispatcher.php;h=ea10a2e8638e59bdfb4277efbbc29dfda422018d;hp=5f825c8b5ac7bbf1b5cb09f5e00e9db66d95fd33;hb=e65f8ac5110804067366f9f239c13f4f29b66c3d;hpb=15f6eff90c305d405fe4331c8a8dc8caa842e5b3

diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php
index 5f825c8b5a..ea10a2e863 100644
--- a/includes/AjaxDispatcher.php
+++ b/includes/AjaxDispatcher.php
@@ -104,6 +104,9 @@ class AjaxDispatcher {
 	 * they should be carefully handled in the function processing the
 	 * request.
 	 *
+	 * phan-taint-check triggers as it is not smart enough to understand
+	 * the early return if func_name not in AjaxExportList.
+	 * @suppress SecurityCheck-XSS
 	 * @param User $user
 	 */
 	function performAction( User $user ) {
@@ -111,6 +114,7 @@ class AjaxDispatcher {
 			return;
 		}
 
+		$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
 		if ( !in_array( $this->func_name, $this->config->get( 'AjaxExportList' ) ) ) {
 			wfDebug( __METHOD__ . ' Bad Request for unknown function ' . $this->func_name . "\n" );
 			wfHttpError(
@@ -118,7 +122,8 @@ class AjaxDispatcher {
 				'Bad Request',
 				"unknown function " . $this->func_name
 			);
-		} elseif ( !User::isEveryoneAllowed( 'read' ) && !$user->isAllowed( 'read' ) ) {
+		} elseif ( !$permissionManager->isEveryoneAllowed( 'read' ) &&
+				   !$permissionManager->userHasRight( $user, 'read' ) ) {
 			wfHttpError(
 				403,
 				'Forbidden',