Anomie has uploaded a new change for review. https://gerrit.wikimedia.org/r/318098
Change subject: Use correct user for isUsableBy check in Special:OAuth/identify ...................................................................... Use correct user for isUsableBy check in Special:OAuth/identify The special page's $this->getUser() comes from the normal CookieSessionProvider cookies (or other non-OAuth mechanism), not the OAuth headers that are being validated here for use by the /identify endpoint. We need to use the user associated with the MWOAuthConsumerAcceptance instead for proper operation. Bug: T149194 Change-Id: I0a9f78c4fe7e592a3dbbf084858ba9942a8fac38 --- M frontend/specialpages/SpecialMWOAuth.php 1 file changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/OAuth refs/changes/98/318098/1 diff --git a/frontend/specialpages/SpecialMWOAuth.php b/frontend/specialpages/SpecialMWOAuth.php index f6bbf7e..8a4fa73 100644 --- a/frontend/specialpages/SpecialMWOAuth.php +++ b/frontend/specialpages/SpecialMWOAuth.php @@ -157,17 +157,17 @@ $wiki = wfWikiID(); $dbr = MWOAuthUtils::getCentralDB( DB_SLAVE ); $access = MWOAuthConsumerAcceptance::newFromToken( $dbr, $token->key ); + $localUser = MWOAuthUtils::getLocalUserFromCentralId( $access->get( 'userId' ) ); // Access token is for this wiki if ( $access->get( 'wiki' ) !== '*' && $access->get( 'wiki' ) !== $wiki ) { throw new MWOAuthException( 'mwoauth-invalid-authorization-wrong-wiki', array( $wiki ) ); - } elseif ( !$consumer->isUsableBy( $user ) ) { + } elseif ( !$consumer->isUsableBy( $localUser ) ) { throw new MWOAuthException( 'mwoauth-invalid-authorization-not-approved', $consumer->get( 'name' ) ); } - $localUser = MWOAuthUtils::getLocalUserFromCentralId( $access->get( 'userId' ) ); if ( !$localUser || !$localUser->isLoggedIn() ) { throw new MWOAuthException( 'mwoauth-invalid-authorization-invalid-user' ); } elseif ( $localUser->isLocked() || $wgBlockDisablesLogin && $localUser->isBlocked() ) { -- To view, visit https://gerrit.wikimedia.org/r/318098 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0a9f78c4fe7e592a3dbbf084858ba9942a8fac38 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/OAuth Gerrit-Branch: master Gerrit-Owner: Anomie <bjor...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits