Anomie has uploaded a new change for review. https://gerrit.wikimedia.org/r/318108
Change subject: Improve MWOAuthSessionProvider authorization test ...................................................................... Improve MWOAuthSessionProvider authorization test If a non-owner could somehow approve an owner-only consumer, the existing code would allow that consumer to be used by the non-owner even though owner-only consumers are supposed to be only usable by the owner. That isn't possible since MWOAuthServer::authorize() refuses to work on owner-only consumers, but we should fix the check here anyway. Change-Id: Iaa0c99ee57449ac296b09d082cd8f0e4cb5fcd90 --- M api/MWOAuthSessionProvider.php 1 file changed, 1 insertion(+), 3 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/OAuth refs/changes/08/318108/1 diff --git a/api/MWOAuthSessionProvider.php b/api/MWOAuthSessionProvider.php index 7d64634..f716d6e 100644 --- a/api/MWOAuthSessionProvider.php +++ b/api/MWOAuthSessionProvider.php @@ -104,9 +104,7 @@ // The consumer is approved or owned by $localUser, and is for this wiki. $consumer = MWOAuthConsumer::newFromId( $dbr, $access->get( 'consumerId' ) ); - if ( $consumer->get( 'stage' ) !== MWOAuthConsumer::STAGE_APPROVED - && !$consumer->isUsableBy( $localUser ) // let publisher test this - ) { + if ( !$consumer->isUsableBy( $localUser ) ) { return $this->makeException( 'mwoauth-invalid-authorization-not-approved' ); } elseif ( $consumer->get( 'wiki' ) !== '*' && $consumer->get( 'wiki' ) !== $wiki ) { return $this->makeException( 'mwoauth-invalid-authorization-wrong-wiki', $wiki ); -- To view, visit https://gerrit.wikimedia.org/r/318108 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iaa0c99ee57449ac296b09d082cd8f0e4cb5fcd90 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/OAuth Gerrit-Branch: master Gerrit-Owner: Anomie <bjor...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits