Last modified: 2012-12-18 19:44:11 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T44816, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 42816 - Abusefilter API does not check whether a user is blocked


Summary:	Abusefilter API does not check whether a user is blocked

Status:	RESOLVED FIXED

Product:	MediaWiki extensions
Classification:	Unclassified
Component:	AbuseFilter (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Unprioritized major (vote)
Target Milestone:	---
Assigned To:	Alex Monk

URL:
Whiteboard:
Keywords:	easy

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2012-12-07 07:36 UTC by Kunal Mehta (Legoktm)
Modified:	2012-12-18 19:44 UTC (History)
CC List:	5 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Kunal Mehta (Legoktm) 2012-12-07 07:36:13 UTC

Somewhat related to bug 42814, but a bit different.

Blocked users are not able to see https://en.wikipedia.org/w/index.php?title=Special:AbuseLog&wpSearchFilter=3, they simply see the standard block message.

However they can still see https://en.wikipedia.org/w/api.php?action=query&list=abuselog&aflfilter=3, which provides nearly the same information.

I'm marking this as major, because like the other bug, is providing information to users who should not be able to see it.

Comment 1 Kunal Mehta (Legoktm) 2012-12-07 07:37:04 UTC

Marking as easy per MZMcBride's rationale on the other bug.

Comment 2 Alex Monk 2012-12-07 22:19:18 UTC

Gerrit change #37562

Comment 3 Chris Steipp 2012-12-10 20:41:15 UTC

I think the basis of the leak is that the special page only filters the result for a filter id if the user has the permission 'abusefilter-log-private' or 'abusefilter-view-private' (SpecialAbuseLog around line 225). The api doesn't seem to check for this.

Comment 4 Alex Monk 2012-12-10 21:22:03 UTC

(In reply to comment #3)
> I think the basis of the leak is that the special page only filters the
> result
> for a filter id if the user has the permission 'abusefilter-log-private' or
> 'abusefilter-view-private' (SpecialAbuseLog around line 225). The api doesn't
> seem to check for this.

Looks like you're talking about bug 42814...

Comment 5 Marius Hoch 2012-12-18 19:44:11 UTC

Change merged

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links