jenkins-bot has submitted this change and it was merged.
Change subject: Use correct user for isUsableBy check in Special:OAuth/identify
......................................................................
Use correct user for isUsableBy check in Special:OAuth/identify
The special page's $this->getUser() comes from the normal
CookieSessionProvider cookies (or other non-OAuth mechanism), not the
OAuth headers that are being validated here for use by the /identify
endpoint.
We need to use the user associated with the MWOAuthConsumerAcceptance
instead for proper operation.
Bug: T149194
Change-Id: I0a9f78c4fe7e592a3dbbf084858ba9942a8fac38
---
M frontend/specialpages/SpecialMWOAuth.php
1 file changed, 7 insertions(+), 7 deletions(-)
Approvals:
Gergő Tisza: Looks good to me, approved
jenkins-bot: Verified
diff --git a/frontend/specialpages/SpecialMWOAuth.php
b/frontend/specialpages/SpecialMWOAuth.php
index f6bbf7e..3f0954f 100644
--- a/frontend/specialpages/SpecialMWOAuth.php
+++ b/frontend/specialpages/SpecialMWOAuth.php
@@ -157,21 +157,21 @@
$wiki = wfWikiID();
$dbr = MWOAuthUtils::getCentralDB(
DB_SLAVE );
$access =
MWOAuthConsumerAcceptance::newFromToken( $dbr, $token->key );
+ $localUser =
MWOAuthUtils::getLocalUserFromCentralId( $access->get( 'userId' ) );
+ if ( !$localUser ||
!$localUser->isLoggedIn() ) {
+ throw new MWOAuthException(
'mwoauth-invalid-authorization-invalid-user' );
+ } elseif ( $localUser->isLocked() ||
$wgBlockDisablesLogin && $localUser->isBlocked() ) {
+ throw new MWOAuthException(
'mwoauth-invalid-authorization-blocked-user' );
+ }
// Access token is for this wiki
if ( $access->get( 'wiki' ) !== '*' &&
$access->get( 'wiki' ) !== $wiki ) {
throw new MWOAuthException(
'mwoauth-invalid-authorization-wrong-wiki',
array( $wiki )
);
- } elseif ( !$consumer->isUsableBy(
$user ) ) {
+ } elseif ( !$consumer->isUsableBy(
$localUser ) ) {
throw new MWOAuthException(
'mwoauth-invalid-authorization-not-approved',
$consumer->get( 'name'
) );
- }
- $localUser =
MWOAuthUtils::getLocalUserFromCentralId( $access->get( 'userId' ) );
- if ( !$localUser ||
!$localUser->isLoggedIn() ) {
- throw new MWOAuthException(
'mwoauth-invalid-authorization-invalid-user' );
- } elseif ( $localUser->isLocked() ||
$wgBlockDisablesLogin && $localUser->isBlocked() ) {
- throw new MWOAuthException(
'mwoauth-invalid-authorization-blocked-user' );
}
// We know the identity of the user who
granted the authorization
--
To view, visit https://gerrit.wikimedia.org/r/318219
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I0a9f78c4fe7e592a3dbbf084858ba9942a8fac38
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/OAuth
Gerrit-Branch: wmf/1.28.0-wmf.23
Gerrit-Owner: Gergő Tisza <[email protected]>
Gerrit-Reviewer: Anomie <[email protected]>
Gerrit-Reviewer: Gergő Tisza <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
