Last modified: 2012-12-18 19:44:11 UTC
Somewhat related to bug 42814, but a bit different. Blocked users are not able to see https://en.wikipedia.org/w/index.php?title=Special:AbuseLog&wpSearchFilter=3, they simply see the standard block message. However they can still see https://en.wikipedia.org/w/api.php?action=query&list=abuselog&aflfilter=3, which provides nearly the same information. I'm marking this as major, because like the other bug, is providing information to users who should not be able to see it.
Marking as easy per MZMcBride's rationale on the other bug.
Gerrit change #37562
I think the basis of the leak is that the special page only filters the result for a filter id if the user has the permission 'abusefilter-log-private' or 'abusefilter-view-private' (SpecialAbuseLog around line 225). The api doesn't seem to check for this.
(In reply to comment #3) > I think the basis of the leak is that the special page only filters the > result > for a filter id if the user has the permission 'abusefilter-log-private' or > 'abusefilter-view-private' (SpecialAbuseLog around line 225). The api doesn't > seem to check for this. Looks like you're talking about bug 42814...
Change merged