diff options
| author | Func <Funcer@outlook.com> | 2021-11-09 09:47:14 +0000 |
|---|---|---|
| committer | Reedy <reedy@wikimedia.org> | 2025-03-24 12:55:44 +0000 |
| commit | 06b9aa64b2e8cb6cc0fa9776a2b9999619923f0f (patch) | |
| tree | 8346b284d6475ccf6bf00b0d37ca266eca088317 | |
| parent | 524b93e175e56f9414fc602a010c8e02a0b50050 (diff) | |
| download | mediawikicore-06b9aa64b2e8cb6cc0fa9776a2b9999619923f0f.tar.gz mediawikicore-06b9aa64b2e8cb6cc0fa9776a2b9999619923f0f.zip | |
Apply proper restrictions on file revert action
Users should have 'reupload' or 'reupload-own' rights to do file revert.
Bug: T304474
Change-Id: I2d0eaeeea237286741708c2b5920fe7cca3acf50
(cherry picked from commit 7b4aee237e257954195c4d695b2cfe2a9a3b4116)
| -rw-r--r-- | includes/actions/RevertAction.php | 11 | ||||
| -rw-r--r-- | includes/api/ApiFileRevert.php | 6 |
2 files changed, 17 insertions, 0 deletions
diff --git a/includes/actions/RevertAction.php b/includes/actions/RevertAction.php index 5963596e8bad..1c897f8f5507 100644 --- a/includes/actions/RevertAction.php +++ b/includes/actions/RevertAction.php @@ -71,6 +71,7 @@ class RevertAction extends FormAction { } public function getRestriction() { + // Required permissions of revert are complicated, will be checked below. return 'upload'; } @@ -78,6 +79,16 @@ class RevertAction extends FormAction { if ( $this->getTitle()->getNamespace() !== NS_FILE ) { throw new ErrorPageError( $this->msg( 'nosuchaction' ), $this->msg( 'nosuchactiontext' ) ); } + + $rights = [ 'reupload' ]; + if ( $user->equals( $this->getFile()->getUploader() ) ) { + // reupload-own is more basic, put it in the front for error messages. + array_unshift( $rights, 'reupload-own' ); + } + if ( !$user->isAllowedAny( ...$rights ) ) { + throw new PermissionsError( $rights[0] ); + } + parent::checkCanExecute( $user ); $oldimage = $this->getRequest()->getText( 'oldimage' ); diff --git a/includes/api/ApiFileRevert.php b/includes/api/ApiFileRevert.php index c33cb8c2180f..290f46015f7a 100644 --- a/includes/api/ApiFileRevert.php +++ b/includes/api/ApiFileRevert.php @@ -61,6 +61,12 @@ class ApiFileRevert extends ApiBase { // Check whether we're allowed to revert this file $this->checkTitleUserPermissions( $this->file->getTitle(), [ 'edit', 'upload' ] ); + $rights = [ 'reupload' ]; + if ( $this->getUser()->equals( $this->file->getUploader() ) ) { + // reupload-own is more basic, put it in the front for error messages. + array_unshift( $rights, 'reupload-own' ); + } + $this->checkUserRightsAny( $rights ); $sourceUrl = $this->file->getArchiveVirtualUrl( $this->archiveName ); $status = $this->file->upload( |