CSteipp has uploaded a new change for review.
https://gerrit.wikimedia.org/r/150971
Change subject: Don't check OAuth tokens on non-api requests
......................................................................
Don't check OAuth tokens on non-api requests
We used to always validate OAuth tokens if an Authorization header was
supplied in the request, except for calls to Special:OAuth, since those
could use request tokens, which wouldn't validate in a normal check.
This only does the check on API calls, since that's the only way users
should use OAuth.
Change-Id: I573ba252ff27e4c5201d34117cd907471e60c2e8
---
M api/MWOAuthAPI.setup.php
1 file changed, 1 insertion(+), 2 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/OAuth
refs/changes/71/150971/1
diff --git a/api/MWOAuthAPI.setup.php b/api/MWOAuthAPI.setup.php
index 0caff16..f634608 100644
--- a/api/MWOAuthAPI.setup.php
+++ b/api/MWOAuthAPI.setup.php
@@ -54,8 +54,7 @@
if ( $result === false ) {
$context = \RequestContext::getMain();
$request = $context->getRequest();
- $title = $context->getTitle();
- if ( !MWOAuthUtils::hasOAuthHeaders( $request ) ||
$title->isSpecial( 'OAuth' ) ) {
+ if ( !MWOAuthUtils::hasOAuthHeaders( $request ) ||
!defined( 'MW_API' ) ) {
$result = null;
} else {
try {
--
To view, visit https://gerrit.wikimedia.org/r/150971
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I573ba252ff27e4c5201d34117cd907471e60c2e8
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/OAuth
Gerrit-Branch: master
Gerrit-Owner: CSteipp <cste...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
