[MediaWiki-commits] [Gerrit] mediawiki...OAuth[REL1_23]: SECURITY: check stage and user blocked/locked status in /ide...

Mon, 24 Oct 2016 18:12:06 -0700 

Gergő Tisza has submitted this change and it was merged.

Change subject: SECURITY: check stage and user blocked/locked status in 
/identify
......................................................................


SECURITY: check stage and user blocked/locked status in /identify

Bug: T148600
Change-Id: I81327a86890d99dfaef1b1a217a68b4404608394
(cherry picked from commit 3f5875b23f5ff7eb43a740075e383ec816adbeed)
---
M frontend/specialpages/SpecialMWOAuth.php
1 file changed, 8 insertions(+), 1 deletion(-)

Approvals:
  Gergő Tisza: Verified; Looks good to me, approved



diff --git a/frontend/specialpages/SpecialMWOAuth.php 
b/frontend/specialpages/SpecialMWOAuth.php
index 6e6eccf..dd46415 100644
--- a/frontend/specialpages/SpecialMWOAuth.php
+++ b/frontend/specialpages/SpecialMWOAuth.php
@@ -27,7 +27,7 @@
        }
 
        public function execute( $subpage ) {
-               global $wgMWOAuthSecureTokenTransfer, $wgMWOAuthReadOnly;
+               global $wgMWOAuthSecureTokenTransfer, $wgMWOAuthReadOnly, 
$wgBlockDisablesLogin;
 
                $this->setHeaders();
 
@@ -131,6 +131,8 @@
                                        $oauthRequest = 
MWOAuthRequest::fromRequest( $request );
                                        // verify_request throws an exception 
if anything isn't verified
                                        list( $consumer, $token ) = 
$server->verify_request( $oauthRequest );
+                                       /** @var MWOAuthConsumer $consumer */
+                                       /** @var MWOAuthToken $token */
 
                                        $wiki = wfWikiID();
                                        $dbr = MWOAuthUtils::getCentralDB( 
DB_SLAVE );
@@ -141,10 +143,15 @@
                                                        
'mwoauth-invalid-authorization-wrong-wiki',
                                                        array( $wiki )
                                                );
+                                       } elseif ( !$consumer->isUsableBy( 
$user ) ) {
+                                               throw new MWOAuthException( 
'mwoauth-invalid-authorization-not-approved',
+                                                       $consumer->get( 'name' 
) );
                                        }
                                        $localUser = 
MWOAuthUtils::getLocalUserFromCentralId( $access->get( 'userId' ) );
                                        if ( !$localUser || 
!$localUser->isLoggedIn() ) {
                                                throw new MWOAuthException( 
'mwoauth-invalid-authorization-invalid-user' );
+                                       } elseif ( $localUser->isLocked() || 
$wgBlockDisablesLogin && $localUser->isBlocked() ) {
+                                               throw new MWOAuthException( 
'mwoauth-invalid-authorization-blocked-user' );
                                        }
 
                                        // We know the identity of the user who 
granted the authorization

-- 
To view, visit https://gerrit.wikimedia.org/r/317734
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I81327a86890d99dfaef1b1a217a68b4404608394
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/OAuth
Gerrit-Branch: REL1_23
Gerrit-Owner: Gergő Tisza <gti...@wikimedia.org>
Gerrit-Reviewer: Gergő Tisza <gti...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to