Page Menu
Home
Phorge
Search
Configure Global Search
Log In
Files
F585449
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Flag For Later
Award Token
Size
2 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/includes/api/ApiComparePages.php b/includes/api/ApiComparePages.php
index 334765d06b1..e3e5672557d 100644
--- a/includes/api/ApiComparePages.php
+++ b/includes/api/ApiComparePages.php
@@ -278,9 +278,18 @@ class ApiComparePages extends ApiBase {
*/
private function getRevisionById( $id ) {
$rev = $this->revisionStore->getRevisionById( $id );
+
+ if ( $rev ) {
+ $this->checkTitleUserPermissions( $rev->getPage(), 'read' );
+ }
+
if ( !$rev && $this->getAuthority()->isAllowedAny( 'deletedtext', 'undelete' ) ) {
// Try the 'archive' table
$rev = $this->archivedRevisionLookup->getArchivedRevisionRecord( null, $id );
+
+ if ( $rev ) {
+ $this->checkTitleUserPermissions( $rev->getPage(), 'deletedtext' );
+ }
}
return $rev;
}
diff --git a/tests/phpunit/includes/api/ApiComparePagesTest.php b/tests/phpunit/includes/api/ApiComparePagesTest.php
index 72363a61df8..4adb7dc6213 100644
--- a/tests/phpunit/includes/api/ApiComparePagesTest.php
+++ b/tests/phpunit/includes/api/ApiComparePagesTest.php
@@ -1073,4 +1073,47 @@ class ApiComparePagesTest extends ApiTestCase {
];
// phpcs:enable
}
+
+ /**
+ * Assert that read access restrictions are enforced (T397521).
+ */
+ public function testNoReadAccess() {
+ $this->overrideConfigValue( MainConfigNames::DiffEngine, 'php' );
+
+ $params = [
+ 'fromrev' => '{{REPL:revA2}}',
+ 'torelative' => 'cur',
+ 'prop' => 'ids',
+ 'action' => 'compare',
+ 'errorformat' => 'none',
+ ];
+
+ $this->doReplacements( $params );
+
+ $performer = static::getTestUser()->getAuthority();
+
+ // Emulate access restrictions as implemented by Lockdown and similar
+ // extensions.
+ $this->setTemporaryHook(
+ 'getUserPermissionsErrors',
+ static function ( $title, $user, $action, &$result ) {
+ if ( $action === 'read' ) {
+ $result = 'badaccess-group0';
+ return false;
+ }
+
+ return true;
+ }
+ );
+
+ $expectedCode = 'permissiondenied';
+
+ try {
+ $this->doApiRequest( $params, null, false, $performer );
+ $this->fail( 'Expected exception not thrown' );
+ } catch ( ApiUsageException $ex ) {
+ $this->assertApiErrorCode( $expectedCode, $ex,
+ "Exception with code $expectedCode" );
+ }
+ }
}
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Sat, Jul 5, 5:33 AM (1 d, 7 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
227853
Default Alt Text
(2 KB)
Attached To
Mode
rMW mediawiki
Attached
Detach File
Event Timeline
Log In to Comment