patch_for_MW1.23.7.txt

--- includes/actions/HistoryAction.php	2014-12-07 10:40:02.446036059 +0100
+++ includes/actions/HistoryAction.php	2014-12-07 10:40:28.778166630 +0100
@@ -650,7 +650,17 @@
 		}
 
 		# Text following the character difference is added just before running hooks
-		$s2 = Linker::revComment( $rev, false, true );
+		
+		/*op-patch|TS|2014-09-30|HaloACL|Protected properties|start*/
+		// 
+		global $haclgProtectProperties;
+		$s2 = '';
+		if (!$haclgProtectProperties) {
+			// The comment for an article might reveal values of protected properties
+			$s2 = Linker::revComment( $rev, false, true );
+		}
+		/*op-patch|TS|2014-09-30|end*/
+
 
 		if ( $notificationtimestamp && ( $row->rev_timestamp >= $notificationtimestamp ) ) {
 			$s2 .= ' <span class="updatedmarker">' . $this->msg( 'updatedmarker' )->escaped() . '</span>';
--- includes/diff/TableDiffFormatter.php	2014-12-07 10:40:00.458026203 +0100
+++ includes/diff/TableDiffFormatter.php	2014-12-07 10:40:25.982152770 +0100
@@ -94,7 +94,16 @@
 	 * @return string
 	 */
 	protected function addedLine( $line ) {
-		return $this->wrapLine( '+', 'diff-addedline', $line );
+		global $haclgProtectProperties;
+		if (!$haclgProtectProperties || !defined('SMW_VERSION') || !strpos($line, "::") ) {
+			// Properties are not protected or no properties in line - everything can be processed
+			return $this->wrapLine( '+++', 'diff-addedline', $line );
+		} else { // properties in text
+			$regexpattern = '/::[^\]]*/';
+			$regexreplace = '::Property value removed by HaloACL';
+			$line2 = preg_replace($regexpattern, $regexreplace, $line);
+			return $this->wrapLine( '+', 'diff-addedline', $line2 );
+		} 	
 	}
 
 	/**
@@ -105,7 +114,16 @@
 	 * @return string
 	 */
 	protected function deletedLine( $line ) {
-		return $this->wrapLine( '−', 'diff-deletedline', $line );
+		global $haclgProtectProperties;
+		if (!$haclgProtectProperties || !defined('SMW_VERSION') || !strpos($line, "::") ) {
+			// Properties are not protected or no properties in line - everything can be processed
+			return $this->wrapLine( '-', 'diff-addedline', $line );
+		} else { // properties in text
+			$regexpattern = '/::[^\]]*/';
+			$regexreplace = '::Property value removed by HaloACL';
+			$line2 = preg_replace($regexpattern, $regexreplace, $line);
+			return $this->wrapLine( '-', 'diff-addedline', $line2 );
+		} 	
 	}
 
 	/**
@@ -116,7 +134,16 @@
 	 * @return string
 	 */
 	protected function contextLine( $line ) {
-		return $this->wrapLine( '&#160;', 'diff-context', $line );
+		global $haclgProtectProperties;
+		if (!$haclgProtectProperties || !defined('SMW_VERSION') || !strpos($line, "::") ) {
+			// Properties are not protected or no properties in line - everything can be processed
+			return $this->wrapLine( '&#160', 'diff-addedline', $line );
+		} else { // properties in text
+			$regexpattern = '/::[^\]]*/';
+			$regexreplace = '::Property value removed by HaloACL';
+			$line2 = preg_replace($regexpattern, $regexreplace, $line);
+			return $this->wrapLine( '&#160', 'diff-addedline', $line2 );
+		} 			
 	}
 
 	/**
--- includes/logging/LogEventsList.php	2014-12-07 10:40:03.470041134 +0100
+++ includes/logging/LogEventsList.php	2014-12-07 10:40:30.158173473 +0100
@@ -327,6 +327,13 @@
 		$formatter->setContext( $this->getContext() );
 		$formatter->setShowUserToolLinks( !( $this->flags & self::NO_EXTRA_USER_LINKS ) );
 
+/*op-patch|start*/
+		$title = $entry->getTarget();
+		if (!$title->userCanReadEx()) {
+			return '';
+		}				
+/*op-patch|end*/
+
 		$time = htmlspecialchars( $this->getLanguage()->userTimeAndDate(
 			$entry->getTimestamp(), $this->getUser() ) );
 
--- includes/QueryPage.php	2014-12-07 10:40:02.554036591 +0100
+++ includes/QueryPage.php	2014-12-07 10:40:29.022167847 +0100
@@ -610,6 +610,21 @@
 			# $res might contain the whole 1,000 rows, so we read up to
 			# $num [should update this to use a Pager]
 			for ( $i = 0; $i < $num && $row = $res->fetchObject(); $i++ ) {
+				/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+				// See http://dmwiki.ontoprise.com/dmwiki/index.php/SafeTitle
+				$title = null;
+				if (isset($row->namespace) && isset($row->title)) {
+					$title = Title::makeTitleSafe( $row->namespace, $row->title );
+				} else if (isset($row->id)) {
+					$title = Title::newFromID($row->id);
+				} else if (isset($row->type) && $row->type === 'Templates' 
+							&& isset($row->title)) {
+					$title = Title::makeTitleSafe(NS_TEMPLATE, $row->title);
+				}
+				if ($title && !$title->userCanReadEx()) {
+					continue;
+				}
+				/*op-patch|TS|2014-09-30|end*/				
 				$line = $this->formatResult( $skin, $row );
 				if ( $line ) {
 					$attr = ( isset( $row->usepatrol ) && $row->usepatrol && $row->patrolled == 0 )
--- includes/specials/SpecialAllpages.php	2014-12-07 10:40:02.990038759 +0100
+++ includes/specials/SpecialAllpages.php	2014-12-07 10:40:29.714171277 +0100
@@ -412,6 +412,12 @@
 				$out = Xml::openElement( 'table', array( 'class' => 'mw-allpages-table-chunk' ) );
 				while ( ( $n < $this->maxPerPage ) && ( $s = $res->fetchObject() ) ) {
 					$t = Title::newFromRow( $s );
+					/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+					// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+					if ($t && !$t->userCanReadEx()) {
+						continue; 
+					}
+					/*op-patch|TS|2014-09-30|end*/  					
 					if ( $t ) {
 						$link = ( $s->page_is_redirect ? '<div class="allpagesredirect">' : '' ) .
 							Linker::link( $t ) .
--- includes/specials/SpecialCategories.php	2014-12-07 10:40:02.974038677 +0100
+++ includes/specials/SpecialCategories.php	2014-12-07 10:40:29.658170993 +0100
@@ -172,6 +172,13 @@
 
 	function formatRow( $result ) {
 		$title = new TitleValue( NS_CATEGORY, $result->cat_title );
+		/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+		// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+		$title_nftv = Title::newFromTitleValue($title);
+		if (!$title_nftv->userCanReadEx()) {
+			return "";
+		}
+		/*op-patch|TS|2014-09-30|end*/		
 		$text = $title->getText();
 		$link = $this->linkRenderer->renderHtmlLink( $title, $text );
 
--- includes/specials/SpecialContributions.php	2014-12-07 10:40:03.166039628 +0100
+++ includes/specials/SpecialContributions.php	2014-12-07 10:40:29.762171510 +0100
@@ -973,6 +973,9 @@
 			$classes = array();
 
 			$page = Title::newFromRow( $row );
+			if (!$page->userCanReadEx()) {
+				return "";
+			}			
 			$link = Linker::link(
 				$page,
 				htmlspecialchars( $page->getPrefixedText() ),
--- includes/specials/SpecialListfiles.php	2014-12-07 10:40:02.974038677 +0100
+++ includes/specials/SpecialListfiles.php	2014-12-07 10:40:29.650170949 +0100
@@ -389,6 +389,31 @@
 		UserCache::singleton()->doQuery( $userIds, array( 'userpage' ), __METHOD__ );
 	}
 
+	function formatRow( $row ) {
+		
+		/*op-patch*/
+		$fieldNames = $this->getFieldNames();
+		$value = isset( $row->img_name ) ? $row->img_name : null;
+		$filePage = Title::makeTitleSafe( NS_FILE, $value );
+		if (!$filePage->userCanReadEx()) {
+			return "";
+		}
+		/*op-patch*/
+		$this->mCurrentRow = $row;  	# In case formatValue etc need to know
+		$s = Xml::openElement( 'tr', $this->getRowAttrs( $row ) );
+		$fieldNames = $this->getFieldNames();
+		foreach ( $fieldNames as $field => $name ) {
+			$value = isset( $row->$field ) ? $row->$field : null;
+			$formatted = strval( $this->formatValue( $field, $value ) );
+			if ( $formatted == '' ) {
+				$formatted = '&#160;';
+			}
+			$s .= Xml::tags( 'td', $this->getCellAttrs( $field, $value ), $formatted );
+		}
+		$s .= "</tr>\n";
+		return $s;
+	}	
+
 	/**
 	 * @param string $field
 	 * @param string $value
--- includes/specials/SpecialListredirects.php	2014-12-07 10:40:02.970038656 +0100
+++ includes/specials/SpecialListredirects.php	2014-12-07 10:40:29.642170913 +0100
@@ -122,6 +122,12 @@
 
 		# Find out where the redirect leads
 		$target = $this->getRedirectTarget( $result );
+		/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+		// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+		if (!$target->userCanReadEx()) {
+			return;
+		}
+		/*op-patch|TS|2014-09-30|end*/ 		
 		if ( $target ) {
 			# Make a link to the destination page
 			$lang = $this->getLanguage();
--- includes/specials/SpecialNewimages.php	2014-12-07 10:40:02.974038677 +0100
+++ includes/specials/SpecialNewimages.php	2014-12-07 10:40:29.662171014 +0100
@@ -141,6 +141,9 @@
 		$user = User::newFromId( $row->img_user );
 
 		$title = Title::makeTitle( NS_FILE, $name );
+		if (!$title->userCanReadEx()) {
+			return "";
+		}		
 		$ul = Linker::link( $user->getUserpage(), $user->getName() );
 		$time = $this->getLanguage()->userTimeAndDate( $row->img_timestamp, $this->getUser() );
 
--- includes/specials/SpecialNewpages.php	2014-12-07 10:40:03.030038954 +0100
+++ includes/specials/SpecialNewpages.php	2014-12-07 10:40:29.742171416 +0100
@@ -305,6 +305,12 @@
 	 */
 	public function formatRow( $result ) {
 		$title = Title::newFromRow( $result );
+		/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+		// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+		if (!$title->userCanReadEx()) {
+			return "";
+		}
+		/*op-patch|TS|2014-09-30|end*/		
 
 		# Revision deletion works on revisions, so we should cast one
 		$row = array(
--- includes/specials/SpecialPrefixindex.php	2014-12-07 10:40:03.166039628 +0100
+++ includes/specials/SpecialPrefixindex.php	2014-12-07 10:40:29.746171429 +0100
@@ -212,6 +212,12 @@
 				$prefixLength = strlen( $prefix );
 				while ( ( $n < $this->maxPerPage ) && ( $s = $res->fetchObject() ) ) {
 					$t = Title::makeTitle( $s->page_namespace, $s->page_title );
+/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+					if ($t && !$t->userCanReadEx()) {
+						continue; 
+					}
+/*op-patch|TS|2014-09-30|end*/  					
 					if ( $t ) {
 						$displayed = $t->getText();
 						// Try not to generate unclickable links
--- includes/specials/SpecialProtectedpages.php	2014-12-07 10:40:03.010038850 +0100
+++ includes/specials/SpecialProtectedpages.php	2014-12-07 10:40:29.738171393 +0100
@@ -387,6 +387,12 @@
 
 			case 'pr_page':
 				$title = Title::makeTitleSafe( $row->page_namespace, $row->page_title );
+				/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+				// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+				if (!$title->userCanReadEx()) {
+					return "";
+				}
+				/*op-patch|TS|2014-09-30|end*/				
 				if ( !$title ) {
 					$formatted = Html::element(
 						'span',
--- includes/specials/SpecialProtectedtitles.php	2014-12-07 10:40:02.922038425 +0100
+++ includes/specials/SpecialProtectedtitles.php	2014-12-07 10:40:29.550170455 +0100
@@ -98,6 +98,12 @@
 				)
 			) . "\n";
 		}
+		/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+		// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+		if (!$title->userCanReadEx()) {
+			return "";
+		}
+		/*op-patch|TS|2014-09-30|end*/		
 
 		$link = Linker::link( $title );
 		$description_items = array();
--- includes/specials/SpecialRandompage.php	2014-12-07 10:40:02.990038759 +0100
+++ includes/specials/SpecialRandompage.php	2014-12-07 10:40:29.726171338 +0100
@@ -61,6 +61,12 @@
 		}
 
 		$title = $this->getRandomTitle();
+		/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+		// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+		if (!$title->userCanReadEx()) {
+			$title = NULL;
+		}
+		/*op-patch|TS|2014-09-30|end*/		
 
 		if ( is_null( $title ) ) {
 			$this->setHeaders();
--- includes/specials/SpecialRecentchanges.php	2014-12-07 10:40:02.938038492 +0100
+++ includes/specials/SpecialRecentchanges.php	2014-12-07 10:40:29.586170642 +0100
@@ -300,7 +300,15 @@
 		$list->initChangesListRows( $rows );
 
 		$rclistOutput = $list->beginRecentChangesList();
+
 		foreach ( $rows as $obj ) {
+			/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+			// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+				$rc = RecentChange::newFromRow( $obj );
+				if (!$rc->getTitle()->userCanReadEx()) {
+					continue;
+				}
+			/*op-patch|TS|2014-09-30|end*/ 			
 			if ( $limit == 0 ) {
 				break;
 			}
--- includes/specials/SpecialSearch.php	2014-12-07 10:40:02.954038574 +0100
+++ includes/specials/SpecialSearch.php	2014-12-07 10:40:29.614170776 +0100
@@ -534,7 +534,28 @@
 		$out = "<ul class='mw-search-results'>\n";
 		$result = $matches->next();
 		while ( $result ) {
-			$out .= $this->showHit( $result, $terms );
+/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+			if (($result->getTitle() != NULL) && ($result->getTitle()->userCanReadEx())) {
+				global $haclgProtectProperties;
+				if (!$haclgProtectProperties || !defined('SMW_VERSION')) {
+					// Properties are not protected.
+					$out .= $this->showHit( $result, $terms );
+				} else {
+					$res0 = $this->showHit( $result, $terms );
+					$res1 = str_replace("'", "", $res0);
+					if ( !strpos($res1, "::<span class=searchmatch>") ) {
+						$regexpattern = '/::[^\]]*/';
+						$regexreplace = '::Property value protected by HaloACL';
+						$res2 = preg_replace($regexpattern, $regexreplace, $res1);
+						$out .= $res2;
+					} else {
+						$out .= '<p>Search result deleted by HaloACL</p>';
+					}
+
+				}
+			}
+/*op-patch|TS|2014-09-30|end*/  
 			$result = $matches->next();
 		}
 		$out .= "</ul>\n";
--- includes/specials/SpecialWatchlist.php	2014-12-07 10:40:02.966038637 +0100
+++ includes/specials/SpecialWatchlist.php	2014-12-07 10:40:29.630170856 +0100
@@ -337,6 +337,12 @@
 		foreach ( $rows as $obj ) {
 			# Make RC entry
 			$rc = RecentChange::newFromRow( $obj );
+			/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+			// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+			if (!$rc->getTitle()->userCanReadEx()) {
+				continue;
+			}
+			/*op-patch|TS|2014-09-30|end*/			
 			$rc->counter = $counter++;
 
 			if ( $wgShowUpdatedMarker ) {
--- includes/specials/SpecialWhatlinkshere.php	2014-12-07 10:40:02.990038759 +0100
+++ includes/specials/SpecialWhatlinkshere.php	2014-12-07 10:40:29.726171338 +0100
@@ -263,6 +263,12 @@
 		$out->addHTML( $this->listStart( $level ) );
 		foreach ( $rows as $row ) {
 			$nt = Title::makeTitle( $row->page_namespace, $row->page_title );
+/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+			if (!$nt->userCanReadEx()) {
+				continue;
+			}
+/*op-patch|TS|2014-09-30|end*/  			
 
 			if ( $row->rd_from && $level < 2 ) {
 				$out->addHTML( $this->listItem( $row, $nt, true ) );
--- includes/Title.php	2014-12-07 10:40:00.858028184 +0100
+++ includes/Title.php	2014-12-07 10:40:26.430154986 +0100
@@ -152,9 +152,15 @@
 	public static function newFromDBkey( $key ) {
 		$t = new Title();
 		$t->mDbkeyform = $key;
-		if ( $t->secureAndSplit() ) {
-			return $t;
-		} else {
+		if( $t->secureAndSplit() ) {
+		/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+		// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+					return $t->checkAccessControl();
+		}
+		/*op-patch|TS|2014-09-30|end*/  
+		//Replaced by patch		return $t;
+		
+		else {
 			return null;
 		}
 	}
@@ -216,7 +222,11 @@
 			if ( $defaultNamespace == NS_MAIN ) {
 				$cache->set( $text, $t );
 			}
-			return $t;
+/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+			return $t->checkAccessControl();
+/*op-patch|TS|2014-09-30|end*/  
+// Preplaced by patch			return $t;
 		} else {
 			$ret = null;
 			return $ret;
@@ -250,7 +260,11 @@
 
 		$t->mDbkeyform = str_replace( ' ', '_', $url );
 		if ( $t->secureAndSplit() ) {
-			return $t;
+/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+			return $t->checkAccessControl();
+/*op-patch|TS|2014-09-30|end*/  
+// Preplaced by patch			return $t;
 		} else {
 			return null;
 		}
@@ -405,7 +419,12 @@
 		$t->mUrlform = wfUrlencode( $t->mDbkeyform );
 		$t->mTextform = str_replace( '_', ' ', $title );
 		$t->mContentModel = false; # initialized lazily in getContentModel()
+/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+		$t = $t->checkAccessControl();
 		return $t;
+/*op-patch|TS|2014-09-30|end*/  
+// Preplaced by patch		return $t;
 	}
 
 	/**
@@ -427,7 +446,11 @@
 		$t = new Title();
 		$t->mDbkeyform = Title::makeName( $ns, $title, $fragment, $interwiki );
 		if ( $t->secureAndSplit() ) {
-			return $t;
+/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+// See http://dmwiki.ontoprise.com:8888/dmwiki/index.php/SafeTitle
+			return $t->checkAccessControl();
+/*op-patch|TS|2014-09-30|end*/  
+// Preplaced by patch			return $t;
 		} else {
 			return null;
 		}
@@ -1114,6 +1137,24 @@
 		return $result;
 	}
 
+	/*op-patch|TS|2012-02-24|HaloACL|HaloACLMemcache|start*/
+	// See http://dmwiki.ontoprise.com/index.php/HaloACLMemcache
+	public function userCanRead() {
+		if (!defined('HACL_HALOACL_VERSION')) {
+			//HaloACL is disabled
+			return $this->userCanReadOrig();
+		}
+		
+		global $wgUser;
+		$hmc = HACLMemcache::getInstance();
+		$allowed = $hmc->retrievePermission($wgUser, $this, 'read');
+		if ($allowed === -1) {
+			$allowed = $this->userCanReadOrig();
+			$hmc->storePermission($wgUser, $this, 'read', $allowed);
+		}
+		return $allowed;
+	}	
+
 	/**
 	 * Is this the mainpage?
 	 * @note Title::newFromText seems to be sufficiently optimized by the title
@@ -1458,6 +1499,26 @@
 		return implode( '/', $parts );
 	}
 
+/*op-patch|TS|2012-02-24|HaloACL|HaloACLMemcache|start*/
+ 
+
+public function userCan($action, $doExpensiveQueries = true) {
+	if (!defined('HACL_HALOACL_VERSION')) {
+		//HaloACL is disabled
+		return $this->userCanOrig($action, $doExpensiveQueries);
+	}
+
+	global $wgUser;
+	$hmc = HACLMemcache::getInstance();
+	$allowed = $hmc->retrievePermission($wgUser, $this, $action);
+	if ($allowed === -1) {
+		$allowed = $this->userCanOrig($action, $doExpensiveQueries);
+		$hmc->storePermission($wgUser, $this, $action, $allowed);
+	}
+	return $allowed;
+}
+
+
 	/**
 	 * Get the base page name title, i.e. the part before the subpage name
 	 *
@@ -1859,7 +1920,7 @@
 	 * @deprecated in 1.19; use userCan(), quickUserCan() or getUserPermissionsErrors() instead
 	 * @return Bool
 	 */
-	public function userCanRead() {
+	public function userCanReadOrig() {
 		wfDeprecated( __METHOD__, '1.19' );
 		return $this->userCan( 'read' );
 	}
@@ -1893,7 +1954,7 @@
 	 *   unnecessary queries.
 	 * @return Bool
 	 */
-	public function userCan( $action, $user = null, $doExpensiveQueries = true ) {
+	public function userCanOrig( $action, $user = null, $doExpensiveQueries = true ) {
 		if ( !$user instanceof User ) {
 			global $wgUser;
 			$user = $wgUser;
@@ -2336,7 +2397,7 @@
 				# If it's a special page, ditch the subpage bit and check again
 				$name = $this->getDBkey();
 				list( $name, /* $subpage */ ) = SpecialPageFactory::resolveAlias( $name );
-				if ( $name ) {
+				if ( !is_null($name) ) {
 					$pure = SpecialPage::getTitleFor( $name )->getPrefixedText();
 					if ( in_array( $pure, $wgWhitelistRead, true ) ) {
 						$whitelisted = true;
@@ -2356,6 +2417,8 @@
 			}
 		}
 
+		wfRunHooks( 'userCan', array( &$this, &$user, $action, &$whitelisted )  );		
+
 		if ( !$whitelisted ) {
 			# If the title is not whitelisted, give extensions a chance to do so...
 			wfRunHooks( 'TitleReadWhitelist', array( $this, $user, &$whitelisted ) );
@@ -4503,6 +4566,100 @@
 		return $this->getArticleID() != 0;
 	}
 
+/*op-patch|TS|2014-09-30|HaloACL|SafeTitle|start*/
+
+	
+	/**
+	 * This function is called from the patches for HaloACL for secure listings 
+	 * (e.g. Spcecial:AllPages). It checks, whether the current user is allowed
+	 * to read the article for this title object. For normal pages this is 
+	 * evaluate in the method <userCanRead>. 
+	 * However, the special pages that generate listings, often create title 
+	 * objects before the can check their accessibility. The fallback mechanism
+	 * of HaloACL creates the title "Permission denied" for the article that 
+	 * must not be accessed. The listings would then show a link to "Permission
+	 * denied". So this function returns "false" for the title "Permission denied"
+	 * as well. 
+	 *
+	 * @return 
+	 * 		true, if this title can be read
+	 * 		false, if the title is protected or "Permission denied".
+	 */
+	public function userCanReadEx() {
+		if (!defined('HACL_HALOACL_VERSION')) {
+			//HaloACL is disabled
+			return true;
+		}
+		global $haclgContLang;
+		return $this->mTextform !== $haclgContLang->getPermissionDeniedPage() 
+		       && $this->userCanRead();
+	}
+	
+	/**
+	 * This function checks, if this title is accessible for the action of the
+	 * current request. If the action is unknown it is assumed to be "read".
+	 * If the title is not accessible, the new title "Permission denied" is 
+	 * returned. This is a fallback to protect titles if all other security 
+	 * patches fail.
+	 * 
+	 * While a page is rendered, the same title is often checked several times. 
+	 * To speed things up, the results of an accessibility check are internally
+	 * cached.  
+	 * 
+	 * This function can be disabled in HACL_Initialize.php or LocalSettings.php
+	 * by setting the variable $haclgEnableTitleCheck = false.
+	 *
+	 * @return 
+	 * 		$this, if access is granted on this title or
+	 * 		the title for "Permission denied" if not.
+	 */
+	private function checkAccessControl() {
+		if (!defined('HACL_HALOACL_VERSION')) {
+			//HaloACL is disabled
+			return $this;
+		}
+		global $haclgEnableTitleCheck;
+		if (isset($haclgEnableTitleCheck) && $haclgEnableTitleCheck === false) {
+			return $this;  
+		}
+		
+		static $permissionCache = array();
+		
+		global $wgRequest;
+		$action = $wgRequest->getVal( 'action', 'read');
+		$currentTitle = $wgRequest->getVal('title');
+		$currentTitle = str_replace( '_', ' ', $currentTitle);
+		if ($this->getFullText() != $currentTitle) {
+			$action = 'read';
+		}
+		$index = $this->getFullText().'-'.$action; // A bug was fixed here thanks to Dave MacDonald
+		$allowed = @$permissionCache[$index];
+		if (!isset($allowed)) {
+			switch ($action) {
+				case 'create':
+				case 'edit':
+				case 'move':
+				case 'annotate':
+					$allowed = $this->userCan($action);
+					break;
+				default:
+					$allowed = $this->userCanRead();
+			}
+			$permissionCache[$index] = $allowed;
+		}
+		if ($allowed === false) {
+			global $haclgContLang;
+			$etc = $haclgEnableTitleCheck;
+			$haclgEnableTitleCheck = false;
+			$t = Title::newFromURL($haclgContLang->getPermissionDeniedPage());
+			$haclgEnableTitleCheck = $etc;
+			return $t;
+		}
+		return $this;
+	}
+/*op-patch|TS|2014-09-30|end*/  
+	
+
 	/**
 	 * Should links to this title be shown as potentially viewable (i.e. as
 	 * "bluelinks"), even if there's no record by this title in the page
--- includes/CategoryViewer.php.orig	2014-10-29 18:57:21.000000000 +0100
+++ includes/CategoryViewer.php	2015-07-24 15:17:31.879729942 +0200
@@ -324,6 +324,10 @@
 			$count = 0;
 			foreach ( $res as $row ) {
 				$title = Title::newFromRow( $row );
+				if (!$title->userCanReadEx()) {
+					// HaloACL: do not show titles of unreadable pages
+					continue;
+				}
 				if ( $row->cl_collation === '' ) {
 					// Hack to make sure that while updating from 1.16 schema
 					// and db is inconsistent, that the sky doesn't fall.