From 6529d523b8ba844a32d8fbd9e346c64fa3966c19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20Tisza?= Date: Wed, 19 Oct 2016 02:43:18 +0000 Subject: [PATCH] SECURITY: check stage and user blocked/locked status in /identify Bug: T148600 Change-Id: I81327a86890d99dfaef1b1a217a68b4404608394 --- frontend/specialpages/SpecialMWOAuth.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/frontend/specialpages/SpecialMWOAuth.php b/frontend/specialpages/SpecialMWOAuth.php index 8b39881..f6bbf7e 100644 --- a/frontend/specialpages/SpecialMWOAuth.php +++ b/frontend/specialpages/SpecialMWOAuth.php @@ -42,7 +42,7 @@ class SpecialMWOAuth extends \UnlistedSpecialPage { } public function execute( $subpage ) { - global $wgMWOAuthSecureTokenTransfer, $wgMWOAuthReadOnly; + global $wgMWOAuthSecureTokenTransfer, $wgMWOAuthReadOnly, $wgBlockDisablesLogin; $this->setHeaders(); @@ -151,6 +151,8 @@ class SpecialMWOAuth extends \UnlistedSpecialPage { $oauthRequest = MWOAuthRequest::fromRequest( $request ); // verify_request throws an exception if anything isn't verified list( $consumer, $token ) = $server->verify_request( $oauthRequest ); + /** @var MWOAuthConsumer $consumer */ + /** @var MWOAuthToken $token */ $wiki = wfWikiID(); $dbr = MWOAuthUtils::getCentralDB( DB_SLAVE ); @@ -161,10 +163,15 @@ class SpecialMWOAuth extends \UnlistedSpecialPage { 'mwoauth-invalid-authorization-wrong-wiki', array( $wiki ) ); + } elseif ( !$consumer->isUsableBy( $user ) ) { + throw new MWOAuthException( 'mwoauth-invalid-authorization-not-approved', + $consumer->get( 'name' ) ); } $localUser = MWOAuthUtils::getLocalUserFromCentralId( $access->get( 'userId' ) ); if ( !$localUser || !$localUser->isLoggedIn() ) { throw new MWOAuthException( 'mwoauth-invalid-authorization-invalid-user' ); + } elseif ( $localUser->isLocked() || $wgBlockDisablesLogin && $localUser->isBlocked() ) { + throw new MWOAuthException( 'mwoauth-invalid-authorization-blocked-user' ); } // We know the identity of the user who granted the authorization -- 1.9.1