From: Glaisher Date: Tue, 16 Jun 2015 09:51:16 +0000 (+0500) Subject: Don't send email notifs to blocked users if $wgBlockDisablesLogin is true X-Git-Tag: 1.31.0-rc.0~10439^2 X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=commitdiff_plain;h=32359cca9a54527a47a99a31604e91457c006d4f Don't send email notifs to blocked users if $wgBlockDisablesLogin is true Previously, private data could be leaked on private wikis where this configuration is common. To prevent this, do not send email notifications on page changes for blocked watchers and blocked talk page owners if $wgBlockDisablesLogin is true. Bug: T54453 Change-Id: I17408e1038ae10ee01eab747591ef2d9c86b106e --- diff --git a/includes/mail/EmailNotification.php b/includes/mail/EmailNotification.php index c359659fdd..a024ffecca 100644 --- a/includes/mail/EmailNotification.php +++ b/includes/mail/EmailNotification.php @@ -201,7 +201,7 @@ class EmailNotification { public function actuallyNotifyOnPageChange( $editor, $title, $timestamp, $summary, $minorEdit, $oldid, $watchers, $pageStatus = 'changed' ) { # we use $wgPasswordSender as sender's address - global $wgEnotifWatchlist; + global $wgEnotifWatchlist, $wgBlockDisablesLogin; global $wgEnotifMinorEdits, $wgEnotifUserTalk; # The following code is only run, if several conditions are met: @@ -240,12 +240,14 @@ class EmailNotification { if ( $wgEnotifWatchlist ) { // Send updates to watchers other than the current editor + // and don't send to watchers who are blocked and cannot login $userArray = UserArray::newFromIDs( $watchers ); foreach ( $userArray as $watchingUser ) { if ( $watchingUser->getOption( 'enotifwatchlistpages' ) && ( !$minorEdit || $watchingUser->getOption( 'enotifminoredits' ) ) && $watchingUser->isEmailConfirmed() && $watchingUser->getID() != $userTalkId + && !( $wgBlockDisablesLogin && $watchingUser->isBlocked() ) ) { if ( Hooks::run( 'SendWatchlistEmailNotification', array( $watchingUser, $title, $this ) ) ) { $this->compose( $watchingUser ); @@ -275,7 +277,7 @@ class EmailNotification { * @return bool */ private function canSendUserTalkEmail( $editor, $title, $minorEdit ) { - global $wgEnotifUserTalk; + global $wgEnotifUserTalk, $wgBlockDisablesLogin; $isUserTalkPage = ( $title->getNamespace() == NS_USER_TALK ); if ( $wgEnotifUserTalk && $isUserTalkPage ) { @@ -285,6 +287,8 @@ class EmailNotification { wfDebug( __METHOD__ . ": user talk page edited, but user does not exist\n" ); } elseif ( $targetUser->getId() == $editor->getId() ) { wfDebug( __METHOD__ . ": user edited their own talk page, no notification sent\n" ); + } elseif ( $wgBlockDisablesLogin && $targetUser->isBlocked() ) { + wfDebug( __METHOD__ . ": talk page owner is blocked and cannot login, no notification sent\n" ); } elseif ( $targetUser->getOption( 'enotifusertalkpages' ) && ( !$minorEdit || $targetUser->getOption( 'enotifminoredits' ) ) ) {