From aab2cb61140b2dcfb311764d95fa83d7a03ee35e Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Wed, 9 May 2018 15:14:38 -0400
Subject: [PATCH 2/2] SECURITY: Special:BotPasswords should reauthenticate

More specifically, it should reauthenticate when creating a bot password
or resetting the password. But we may as well do it for all accesses.

Bug: T193237
Change-Id: I9a38a3109492753fff1f33c0f280e5b0f1fc1a76
---
 RELEASE-NOTES-1.32                        | 1 +
 includes/specials/SpecialBotPasswords.php | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/RELEASE-NOTES-1.32 b/RELEASE-NOTES-1.32
index 9fd3161f1e..536f550992 100644
--- a/RELEASE-NOTES-1.32
+++ b/RELEASE-NOTES-1.32
@@ -17,6 +17,7 @@ production.
   'html5-legacy' value for $wgFragmentMode is no longer accepted.
 * The experimental Html5Internal and Html5Depurate tidy drivers were removed.
   RemexHtml, which is the default, should be used instead.
+* Special:BotPasswords now requires reauthentication.
 
 === New features in 1.32 ===
 * (T112474) Generalized the ResourceLoader mechanism for overriding modules
diff --git a/includes/specials/SpecialBotPasswords.php b/includes/specials/SpecialBotPasswords.php
index 7b2d1bcbfd..961ee1c558 100644
--- a/includes/specials/SpecialBotPasswords.php
+++ b/includes/specials/SpecialBotPasswords.php
@@ -51,6 +51,10 @@ class SpecialBotPasswords extends FormSpecialPage {
 		return $this->getConfig()->get( 'EnableBotPasswords' );
 	}
 
+	protected function getLoginSecurityLevel() {
+		return $this->getName();
+	}
+
 	/**
 	 * Main execution point
 	 * @param string|null $par
-- 
2.17.0