[MediaWiki-commits] [Gerrit] mediawiki...OAuth[wmf/1.28.0-wmf.23]: Use correct user for isUsableBy check in Special:OAuth/identify
jenkins-bot has submitted this change and it was merged. Change subject: Use correct user for isUsableBy check in Special:OAuth/identify .. Use correct user for isUsableBy check in Special:OAuth/identify The special page's $this->getUser() comes from the normal CookieSessionProvider cookies (or other non-OAuth mechanism), not the OAuth headers that are being validated here for use by the /identify endpoint. We need to use the user associated with the MWOAuthConsumerAcceptance instead for proper operation. Bug: T149194 Change-Id: I0a9f78c4fe7e592a3dbbf084858ba9942a8fac38 --- M frontend/specialpages/SpecialMWOAuth.php 1 file changed, 7 insertions(+), 7 deletions(-) Approvals: Gergő Tisza: Looks good to me, approved jenkins-bot: Verified diff --git a/frontend/specialpages/SpecialMWOAuth.php b/frontend/specialpages/SpecialMWOAuth.php index f6bbf7e..3f0954f 100644 --- a/frontend/specialpages/SpecialMWOAuth.php +++ b/frontend/specialpages/SpecialMWOAuth.php @@ -157,21 +157,21 @@ $wiki = wfWikiID(); $dbr = MWOAuthUtils::getCentralDB( DB_SLAVE ); $access = MWOAuthConsumerAcceptance::newFromToken( $dbr, $token->key ); + $localUser = MWOAuthUtils::getLocalUserFromCentralId( $access->get( 'userId' ) ); + if ( !$localUser || !$localUser->isLoggedIn() ) { + throw new MWOAuthException( 'mwoauth-invalid-authorization-invalid-user' ); + } elseif ( $localUser->isLocked() || $wgBlockDisablesLogin && $localUser->isBlocked() ) { + throw new MWOAuthException( 'mwoauth-invalid-authorization-blocked-user' ); + } // Access token is for this wiki if ( $access->get( 'wiki' ) !== '*' && $access->get( 'wiki' ) !== $wiki ) { throw new MWOAuthException( 'mwoauth-invalid-authorization-wrong-wiki', array( $wiki ) ); - } elseif ( !$consumer->isUsableBy( $user ) ) { + } elseif ( !$consumer->isUsableBy( $localUser ) ) { throw new MWOAuthException( 'mwoauth-invalid-authorization-not-approved', $consumer->get( 'name' ) ); - } - $localUser = MWOAuthUtils::getLocalUserFromCentralId( $access->get( 'userId' ) ); - if ( !$localUser || !$localUser->isLoggedIn() ) { - throw new MWOAuthException( 'mwoauth-invalid-authorization-invalid-user' ); - } elseif ( $localUser->isLocked() || $wgBlockDisablesLogin && $localUser->isBlocked() ) { - throw new MWOAuthException( 'mwoauth-invalid-authorization-blocked-user' ); } // We know the identity of the user who granted the authorization -- To view, visit https://gerrit.wikimedia.org/r/318219 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I0a9f78c4fe7e592a3dbbf084858ba9942a8fac38 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/OAuth Gerrit-Branch: wmf/1.28.0-wmf.23 Gerrit-Owner: Gergő Tisza Gerrit-Reviewer: Anomie Gerrit-Reviewer: Gergő Tisza Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] mediawiki...OAuth[wmf/1.28.0-wmf.23]: Use correct user for isUsableBy check in Special:OAuth/identify
Gergő Tisza has uploaded a new change for review. https://gerrit.wikimedia.org/r/318219 Change subject: Use correct user for isUsableBy check in Special:OAuth/identify .. Use correct user for isUsableBy check in Special:OAuth/identify The special page's $this->getUser() comes from the normal CookieSessionProvider cookies (or other non-OAuth mechanism), not the OAuth headers that are being validated here for use by the /identify endpoint. We need to use the user associated with the MWOAuthConsumerAcceptance instead for proper operation. Bug: T149194 Change-Id: I0a9f78c4fe7e592a3dbbf084858ba9942a8fac38 --- M frontend/specialpages/SpecialMWOAuth.php 1 file changed, 7 insertions(+), 7 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/OAuth refs/changes/19/318219/1 diff --git a/frontend/specialpages/SpecialMWOAuth.php b/frontend/specialpages/SpecialMWOAuth.php index f6bbf7e..3f0954f 100644 --- a/frontend/specialpages/SpecialMWOAuth.php +++ b/frontend/specialpages/SpecialMWOAuth.php @@ -157,21 +157,21 @@ $wiki = wfWikiID(); $dbr = MWOAuthUtils::getCentralDB( DB_SLAVE ); $access = MWOAuthConsumerAcceptance::newFromToken( $dbr, $token->key ); + $localUser = MWOAuthUtils::getLocalUserFromCentralId( $access->get( 'userId' ) ); + if ( !$localUser || !$localUser->isLoggedIn() ) { + throw new MWOAuthException( 'mwoauth-invalid-authorization-invalid-user' ); + } elseif ( $localUser->isLocked() || $wgBlockDisablesLogin && $localUser->isBlocked() ) { + throw new MWOAuthException( 'mwoauth-invalid-authorization-blocked-user' ); + } // Access token is for this wiki if ( $access->get( 'wiki' ) !== '*' && $access->get( 'wiki' ) !== $wiki ) { throw new MWOAuthException( 'mwoauth-invalid-authorization-wrong-wiki', array( $wiki ) ); - } elseif ( !$consumer->isUsableBy( $user ) ) { + } elseif ( !$consumer->isUsableBy( $localUser ) ) { throw new MWOAuthException( 'mwoauth-invalid-authorization-not-approved', $consumer->get( 'name' ) ); - } - $localUser = MWOAuthUtils::getLocalUserFromCentralId( $access->get( 'userId' ) ); - if ( !$localUser || !$localUser->isLoggedIn() ) { - throw new MWOAuthException( 'mwoauth-invalid-authorization-invalid-user' ); - } elseif ( $localUser->isLocked() || $wgBlockDisablesLogin && $localUser->isBlocked() ) { - throw new MWOAuthException( 'mwoauth-invalid-authorization-blocked-user' ); } // We know the identity of the user who granted the authorization -- To view, visit https://gerrit.wikimedia.org/r/318219 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0a9f78c4fe7e592a3dbbf084858ba9942a8fac38 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/OAuth Gerrit-Branch: wmf/1.28.0-wmf.23 Gerrit-Owner: Gergő Tisza Gerrit-Reviewer: Anomie ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits