From 5bb72fcaf659dd7a44fb9112e32f99e49fd1a318 Mon Sep 17 00:00:00 2001
From: rxy <wikitech.rxy@rxy.jp>
Date: Mon, 29 Apr 2019 05:04:01 +0900
Subject: [PATCH] SECURITY: Add permission check for user is permitted to view
 the log type

Bug: T222036
Change-Id: I7584ee8db23a8834bbab21e355cab9857a293f72
---
 includes/changetags/ChangeTagsLogItem.php | 2 +-
 includes/specials/SpecialEditTags.php     | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/includes/changetags/ChangeTagsLogItem.php b/includes/changetags/ChangeTagsLogItem.php
index a248c6e8b5..1b9fd92ca9 100644
--- a/includes/changetags/ChangeTagsLogItem.php
+++ b/includes/changetags/ChangeTagsLogItem.php
@@ -49,7 +49,7 @@ class ChangeTagsLogItem extends RevisionItemBase {
 	}
 
 	public function canView() {
-		return LogEventsList::userCan( $this->row, Revision::DELETED_RESTRICTED, $this->list->getUser() );
+		return LogEventsList::userCan( $this->row, Revision::SUPPRESSED_ALL, $this->list->getUser() );
 	}
 
 	public function canViewContent() {
diff --git a/includes/specials/SpecialEditTags.php b/includes/specials/SpecialEditTags.php
index 60d5fd7c8c..d11cf64c49 100644
--- a/includes/specials/SpecialEditTags.php
+++ b/includes/specials/SpecialEditTags.php
@@ -225,6 +225,9 @@ class SpecialEditTags extends UnlistedSpecialPage {
 		// phpcs:ignore Generic.CodeAnalysis.ForLoopWithTestFunctionCall
 		for ( $list->reset(); $list->current(); $list->next() ) {
 			$item = $list->current();
+			if ( !$item->canView() ) {
+				throw new ErrorPageError( 'permissionserrors', 'tags-update-no-permission' );
+			}
 			$numRevisions++;
 			$out->addHTML( $item->getHTML() );
 		}
-- 
2.20.1