[MediaWiki-commits] [Gerrit] mediawiki...OAuth[master]: Improve MWOAuthSessionProvider authorization test

Wed, 26 Oct 2016 08:20:59 -0700 

Anomie has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/318108

Change subject: Improve MWOAuthSessionProvider authorization test
......................................................................

Improve MWOAuthSessionProvider authorization test

If a non-owner could somehow approve an owner-only consumer, the
existing code would allow that consumer to be used by the non-owner even
though owner-only consumers are supposed to be only usable by the owner.

That isn't possible since MWOAuthServer::authorize() refuses to work on
owner-only consumers, but we should fix the check here anyway.

Change-Id: Iaa0c99ee57449ac296b09d082cd8f0e4cb5fcd90
---
M api/MWOAuthSessionProvider.php
1 file changed, 1 insertion(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/OAuth 
refs/changes/08/318108/1

diff --git a/api/MWOAuthSessionProvider.php b/api/MWOAuthSessionProvider.php
index 7d64634..f716d6e 100644
--- a/api/MWOAuthSessionProvider.php
+++ b/api/MWOAuthSessionProvider.php
@@ -104,9 +104,7 @@
 
                // The consumer is approved or owned by $localUser, and is for 
this wiki.
                $consumer = MWOAuthConsumer::newFromId( $dbr, $access->get( 
'consumerId' ) );
-               if ( $consumer->get( 'stage' ) !== 
MWOAuthConsumer::STAGE_APPROVED
-                       && !$consumer->isUsableBy( $localUser ) // let 
publisher test this
-               ) {
+               if ( !$consumer->isUsableBy( $localUser ) ) {
                        return $this->makeException( 
'mwoauth-invalid-authorization-not-approved' );
                } elseif ( $consumer->get( 'wiki' ) !== '*' && $consumer->get( 
'wiki' ) !== $wiki ) {
                        return $this->makeException( 
'mwoauth-invalid-authorization-wrong-wiki', $wiki );

-- 
To view, visit https://gerrit.wikimedia.org/r/318108
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iaa0c99ee57449ac296b09d082cd8f0e4cb5fcd90
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/OAuth
Gerrit-Branch: master
Gerrit-Owner: Anomie <bjor...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to