From f025a5dc92213d160401367eb7892a71b792171b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bartosz=20Dziewo=C5=84ski?= <matma.rex@gmail.com>
Date: Thu, 17 Mar 2022 23:42:51 +0100
Subject: [PATCH] [SECURITY] Fix check for 'override-antispoof' permission

Bug: T304126
Change-Id: Id8c4e2e336695ce70ccdf8a51ad729bf4a99f8f7
---
 includes/AntiSpoofPreAuthenticationProvider.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/AntiSpoofPreAuthenticationProvider.php b/includes/AntiSpoofPreAuthenticationProvider.php
index eb897c1..1b6810f 100644
--- a/includes/AntiSpoofPreAuthenticationProvider.php
+++ b/includes/AntiSpoofPreAuthenticationProvider.php
@@ -142,7 +142,7 @@ class AntiSpoofPreAuthenticationProvider extends AbstractPreAuthenticationProvid
 		// For "cancreate" checks via the API, test if the current user could
 		// create the username.
 		if ( $this->antiSpoofAccounts && !$autocreate && empty( $options['creating'] ) &&
-			$this->permissionManager->userHasAnyRight( RequestContext::getMain()->getUser(), 'override-antispoof' )
+			!$this->permissionManager->userHasAnyRight( RequestContext::getMain()->getUser(), 'override-antispoof' )
 		) {
 			$sv->merge( $this->testUserInternal( $user, false, new NullLogger ) );
 		}
-- 
2.28.0.windows.1