jenkins-bot has submitted this change and it was merged. Change subject: Don't check OAuth tokens on non-api requests ......................................................................
Don't check OAuth tokens on non-api requests We used to always validate OAuth tokens if an Authorization header was supplied in the request, except for calls to Special:OAuth, since those could use request tokens, which wouldn't validate in a normal check. This only does the check on API calls, since that's the only way users should use OAuth. Change-Id: I573ba252ff27e4c5201d34117cd907471e60c2e8 --- M api/MWOAuthAPI.setup.php 1 file changed, 1 insertion(+), 2 deletions(-) Approvals: Yuvipanda: Looks good to me, but someone else must approve Reedy: Looks good to me, approved jenkins-bot: Verified diff --git a/api/MWOAuthAPI.setup.php b/api/MWOAuthAPI.setup.php index 0caff16..f634608 100644 --- a/api/MWOAuthAPI.setup.php +++ b/api/MWOAuthAPI.setup.php @@ -54,8 +54,7 @@ if ( $result === false ) { $context = \RequestContext::getMain(); $request = $context->getRequest(); - $title = $context->getTitle(); - if ( !MWOAuthUtils::hasOAuthHeaders( $request ) || $title->isSpecial( 'OAuth' ) ) { + if ( !MWOAuthUtils::hasOAuthHeaders( $request ) || !defined( 'MW_API' ) ) { $result = null; } else { try { -- To view, visit https://gerrit.wikimedia.org/r/150971 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I573ba252ff27e4c5201d34117cd907471e60c2e8 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/OAuth Gerrit-Branch: master Gerrit-Owner: CSteipp <cste...@wikimedia.org> Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org> Gerrit-Reviewer: Anomie <bjor...@wikimedia.org> Gerrit-Reviewer: Reedy <re...@wikimedia.org> Gerrit-Reviewer: Yuvipanda <yuvipa...@gmail.com> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits