[MediaWiki-commits] [Gerrit] mediawiki...OAuth[REL1_26]: SECURITY: check stage and user blocked/locked status in /ide...

Mon, 24 Oct 2016 18:09:07 -0700 

Gergő Tisza has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/317735

Change subject: SECURITY: check stage and user blocked/locked status in 
/identify
......................................................................

SECURITY: check stage and user blocked/locked status in /identify

Bug: T148600
Change-Id: I81327a86890d99dfaef1b1a217a68b4404608394
(cherry picked from commit 3f5875b23f5ff7eb43a740075e383ec816adbeed)
---
M frontend/specialpages/SpecialMWOAuth.php
1 file changed, 8 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/OAuth 
refs/changes/35/317735/1

diff --git a/frontend/specialpages/SpecialMWOAuth.php 
b/frontend/specialpages/SpecialMWOAuth.php
index 42dcad3..2dea5a3 100644
--- a/frontend/specialpages/SpecialMWOAuth.php
+++ b/frontend/specialpages/SpecialMWOAuth.php
@@ -30,7 +30,7 @@
        }
 
        public function execute( $subpage ) {
-               global $wgMWOAuthSecureTokenTransfer, $wgMWOAuthReadOnly;
+               global $wgMWOAuthSecureTokenTransfer, $wgMWOAuthReadOnly, 
$wgBlockDisablesLogin;
 
                $this->setHeaders();
 
@@ -137,6 +137,8 @@
                                        $oauthRequest = 
MWOAuthRequest::fromRequest( $request );
                                        // verify_request throws an exception 
if anything isn't verified
                                        list( $consumer, $token ) = 
$server->verify_request( $oauthRequest );
+                                       /** @var MWOAuthConsumer $consumer */
+                                       /** @var MWOAuthToken $token */
 
                                        $wiki = wfWikiID();
                                        $dbr = MWOAuthUtils::getCentralDB( 
DB_SLAVE );
@@ -147,10 +149,15 @@
                                                        
'mwoauth-invalid-authorization-wrong-wiki',
                                                        array( $wiki )
                                                );
+                                       } elseif ( !$consumer->isUsableBy( 
$user ) ) {
+                                               throw new MWOAuthException( 
'mwoauth-invalid-authorization-not-approved',
+                                                       $consumer->get( 'name' 
) );
                                        }
                                        $localUser = 
MWOAuthUtils::getLocalUserFromCentralId( $access->get( 'userId' ) );
                                        if ( !$localUser || 
!$localUser->isLoggedIn() ) {
                                                throw new MWOAuthException( 
'mwoauth-invalid-authorization-invalid-user' );
+                                       } elseif ( $localUser->isLocked() || 
$wgBlockDisablesLogin && $localUser->isBlocked() ) {
+                                               throw new MWOAuthException( 
'mwoauth-invalid-authorization-blocked-user' );
                                        }
 
                                        // We know the identity of the user who 
granted the authorization

-- 
To view, visit https://gerrit.wikimedia.org/r/317735
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I81327a86890d99dfaef1b1a217a68b4404608394
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/OAuth
Gerrit-Branch: REL1_26
Gerrit-Owner: Gergő Tisza <gti...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to