[MediaWiki-commits] [Gerrit] mediawiki...OAuth[master]: Use correct user for isUsableBy check in Special:OAuth/identify

[Anomie (Code Review)]

Anomie has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/318098

Change subject: Use correct user for isUsableBy check in Special:OAuth/identify
......................................................................

Use correct user for isUsableBy check in Special:OAuth/identify

The special page's $this->getUser() comes from the normal
CookieSessionProvider cookies (or other non-OAuth mechanism), not the
OAuth headers that are being validated here for use by the /identify
endpoint.

We need to use the user associated with the MWOAuthConsumerAcceptance
instead for proper operation.

Bug: T149194
Change-Id: I0a9f78c4fe7e592a3dbbf084858ba9942a8fac38
---
M frontend/specialpages/SpecialMWOAuth.php
1 file changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/OAuth 
refs/changes/98/318098/1

diff --git a/frontend/specialpages/SpecialMWOAuth.php 
b/frontend/specialpages/SpecialMWOAuth.php
index f6bbf7e..8a4fa73 100644
--- a/frontend/specialpages/SpecialMWOAuth.php
+++ b/frontend/specialpages/SpecialMWOAuth.php
@@ -157,17 +157,17 @@
                                        $wiki = wfWikiID();
                                        $dbr = MWOAuthUtils::getCentralDB( 
DB_SLAVE );
                                        $access = 
MWOAuthConsumerAcceptance::newFromToken( $dbr, $token->key );
+                                       $localUser = 
MWOAuthUtils::getLocalUserFromCentralId( $access->get( 'userId' ) );
                                        // Access token is for this wiki
                                        if ( $access->get( 'wiki' ) !== '*' && 
$access->get( 'wiki' ) !== $wiki ) {
                                                throw new MWOAuthException(
                                                        
'mwoauth-invalid-authorization-wrong-wiki',
                                                        array( $wiki )
                                                );
-                                       } elseif ( !$consumer->isUsableBy( 
$user ) ) {
+                                       } elseif ( !$consumer->isUsableBy( 
$localUser ) ) {
                                                throw new MWOAuthException( 
'mwoauth-invalid-authorization-not-approved',
                                                        $consumer->get( 'name' 
) );
                                        }
-                                       $localUser = 
MWOAuthUtils::getLocalUserFromCentralId( $access->get( 'userId' ) );
                                        if ( !$localUser || 
!$localUser->isLoggedIn() ) {
                                                throw new MWOAuthException( 
'mwoauth-invalid-authorization-invalid-user' );
                                        } elseif ( $localUser->isLocked() || 
$wgBlockDisablesLogin && $localUser->isBlocked() ) {

-- 
To view, visit https://gerrit.wikimedia.org/r/318098
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0a9f78c4fe7e592a3dbbf084858ba9942a8fac38
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/OAuth
Gerrit-Branch: master
Gerrit-Owner: Anomie <bjor...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits