diff options
| author | MusikAnimal <musikanimal@gmail.com> | 2024-11-13 22:03:30 -0500 |
|---|---|---|
| committer | MusikAnimal <musikanimal@gmail.com> | 2024-11-16 02:28:18 -0500 |
| commit | 0bcb1d2068d6db08f80ab94e9a0a95794a6f755e (patch) | |
| tree | 925dc8126d6072e027a9dd4fce1a6b46b1063e22 /tests/phpunit/includes/api/query/ApiQueryContinueTest.php | |
| parent | 15eed59c1a3c690a60e9bb163860214ae28669c7 (diff) | |
| download | mediawikicore-0bcb1d2068d6db08f80ab94e9a0a95794a6f755e.tar.gz mediawikicore-0bcb1d2068d6db08f80ab94e9a0a95794a6f755e.zip | |
SpecialBlock [Codex]: Fix various bugs with hideuser and error display
Use wpHideUser as the name attribute and URL query param. This is the
name it has always had and some scripts in the wild rely on it.
Only show the hideuser warning if the user has rights to hide the user.
A hack is introduced to preserve the HTML rendering of server-provided
messages and still match Codex styles. Some messages such as
'ipb-confirmhideuser' are overridden in WikimediaMessages to contain
links and other markup. Individual wikis may also have the errors
customized in this way, so we need to allow HTML here. Fortunately
these server-generated messages should be safe from XSS vulnerabilities
as usernames are escaped, etc.
Ensure hideNameVisible is set in addition to hideName (the checkbox
value) when making the API response. Otherwise an unprivileged user may
browse to Special:Block?wpHideName=1 and submit only to mysteriously see
a permissions error (even though there's no visible 'hide user' option
in the form).
Finally, rename the watch prop to watchUser to avoid confusion and
conflicts with Vue's watch method.
Bug: T379875
Change-Id: I3fea319d2a822bb3c831d15d2209c18aa8142e3e
Diffstat (limited to 'tests/phpunit/includes/api/query/ApiQueryContinueTest.php')
0 files changed, 0 insertions, 0 deletions