CSteipp has uploaded a new change for review.
https://gerrit.wikimedia.org/r/77267
Change subject: Simplify Multi-wiki setups
......................................................................
Simplify Multi-wiki setups
* Only allow the OAuth handshake to occure on the central wiki. This
could be changed in the future, but simplifies the logic for now.
* Add check during handshake to ensure central wiki user is valid
* Fix error message display for /authorize phase
Change-Id: I8d482961d58251e931d5454533537b8e719e8357
---
M backend/MWOAuthUtils.php
M frontend/MWOAuthUI.setup.php
M frontend/language/MWOAuth.i18n.php
M frontend/specialpages/SpecialMWOAuth.php
4 files changed, 18 insertions(+), 8 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/OAuth
refs/changes/67/77267/1
diff --git a/backend/MWOAuthUtils.php b/backend/MWOAuthUtils.php
index 0061623..302af26 100644
--- a/backend/MWOAuthUtils.php
+++ b/backend/MWOAuthUtils.php
@@ -257,11 +257,11 @@
*
* @param User $user
* @return integer|bool ID or false if not found
- * @throws MWOAuthException
*/
public static function getCentralIdFromLocalUser( User $user ) {
global $wgMWOAuthCentralWiki;
+ // TODO: This allows a non-global account on the central wiki
to use OAuth
if ( MWOAuthUtils::isCentralWiki() ) {
$id = $user->getId();
} else { // only some central user system can give us the ID
@@ -276,10 +276,6 @@
// Process cache the result to avoid queries
$user->oAuthUserData['centralId'] = $id;
}
- }
-
- if ( !$id ) {
- throw new MWOAuthException(
'mwoauthserver-invalid-user' );
}
return $id;
diff --git a/frontend/MWOAuthUI.setup.php b/frontend/MWOAuthUI.setup.php
index e0e1969..cf29b6f 100644
--- a/frontend/MWOAuthUI.setup.php
+++ b/frontend/MWOAuthUI.setup.php
@@ -10,9 +10,9 @@
*/
public static function defineSpecialPages( array &$pages, array
&$groups ) {
// Pages available on all wikis
- $pages['MWOAuth'] = 'SpecialMWOAuth';
// Pages specific to the central OAuth management wiki
if ( MWOAuthUtils::isCentralWiki() ) {
+ $pages['MWOAuth'] = 'SpecialMWOAuth';
$pages['MWOAuthConsumerRegistration'] =
'SpecialMWOAuthConsumerRegistration';
$groups['MWOAuthConsumerRegistration'] = 'users';
$pages['MWOAuthManageConsumers'] =
'SpecialMWOAuthManageConsumers';
diff --git a/frontend/language/MWOAuth.i18n.php
b/frontend/language/MWOAuth.i18n.php
index d33c59e..4fb93c9 100644
--- a/frontend/language/MWOAuth.i18n.php
+++ b/frontend/language/MWOAuth.i18n.php
@@ -207,6 +207,8 @@
'mwoauth-authorize-form-description' => 'Application description: $1',
'mwoauth-authorize-form-version' => 'Application version: $1',
'mwoauth-authorize-form-wiki' => 'Wiki: $1',
+ 'mwoauth-authorize-form-invalid-user' => 'This user account cannot use
OAuth, because the account on this wiki, and the account on the central OAuth
wiki are not linked.',
+ 'mwoauth-error' => 'OAuth Error',
'mwoauth-grants-heading' => 'Requested permissions: ',
'mwoauth-grants-nogrants' => 'The application has not requested any
permissions.',
@@ -478,6 +480,8 @@
'mwoauth-authorize-form-description' => '{{Identical|Application
description}}',
'mwoauth-authorize-form-version' => '{{Identical|Application version}}',
'mwoauth-authorize-form-wiki' => '{{Identical|Wiki}}',
+ 'mwoauth-authorize-form-invalid-user' => 'Text of the error page when
the user cannot use OAuth.',
+ 'mwoauth-error' => 'Heading on the page, whenever an OAuth error is
presented to a user.',
'mwoauth-grants-heading' => 'Used as label for the grants list.
See also:
diff --git a/frontend/specialpages/SpecialMWOAuth.php
b/frontend/specialpages/SpecialMWOAuth.php
index e739dfd..b9284c1 100644
--- a/frontend/specialpages/SpecialMWOAuth.php
+++ b/frontend/specialpages/SpecialMWOAuth.php
@@ -10,7 +10,7 @@
$request = $this->getRequest();
$format = $request->getVal( 'format', 'raw' );
if ( !in_array( $subpage, array( 'initiate', 'authorize',
'token' ) ) ) {
- $this->showError( wfMessage(
'oauth-client-invalidrequest' ), $format );
+ $this->showError( 'oauth-client-invalidrequest',
$format );
}
try {
@@ -25,6 +25,7 @@
break;
case 'authorize':
//TODO: most of the "controller" logic
should be move somewhere else
+ $format = 'html';
$mwUser = $this->getUser();
$requestToken = $request->getVal(
'oauth_token', false ); //oauth_token
$consumerKey = $request->getVal(
'oauth_consumer_key', false ); //oauth_key
@@ -47,12 +48,21 @@
return;
}
+ // Check to make sure this user is the
same user
+ // on the central wiki
+ $centralId =
MWOAuthUtils::getCentralIdFromLocalUser( $mwUser );
+ if ( !$centralId ) {
+ // For now, just abort and give
them hints to fix in
+ // the error message. TODO: if
we can fix the issue with
+ // a few redirects, do that
here.
+ throw new MWOAuthException(
'mwoauth-authorize-form-invalid-user' );
+ }
+
if ( $request->getVal( 'doAuthorize',
false ) ) {
// Require POST
if ( !$request->wasPosted() ) {
throw new
MWOAuthException( 'mwoauth-not-posted' );
}
-
// Check csrf token
$CSRFToken = $request->getVal(
'formToken', false );
if ( !$mwUser->matchEditToken(
$CSRFToken, 'OAuth:Authorize' ) ) {
--
To view, visit https://gerrit.wikimedia.org/r/77267
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I8d482961d58251e931d5454533537b8e719e8357
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/OAuth
Gerrit-Branch: master
Gerrit-Owner: CSteipp <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
