Page MenuHomePhabricator

T194605.patch

Authored By
Bawolff
May 13 2018, 7:39 PM
Size
3 KB
Referenced Files
None
Subscribers
None

T194605.patch

From 98068fb50b011672eb1b4ecd4ec06d04395c8f61 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Sun, 13 May 2018 19:37:09 +0000
Subject: [PATCH] SECURITY: Do not allow botpassword login if account locked.
Reported by Rxy
Bug: T194605
Change-Id: Ib41005e69ab4db6f849837de12f0d41398b58f9a
---
includes/api/ApiLogin.php | 3 ++-
includes/user/BotPassword.php | 4 ++++
languages/i18n/en.json | 1 +
languages/i18n/qqq.json | 1 +
4 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 0248f25..14491da 100644
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -132,7 +132,8 @@ class ApiLogin extends ApiBase {
$loginType = 'BotPassword';
} elseif ( !$botLoginData[2] ||
$status->hasMessage( 'login-throttled' ) ||
- $status->hasMessage( 'botpasswords-needs-reset' )
+ $status->hasMessage( 'botpasswords-needs-reset' ) ||
+ $status->hasMessage( 'botpasswords-locked' )
) {
$authRes = 'Failed';
$message = $status->getMessage();
diff --git a/includes/user/BotPassword.php b/includes/user/BotPassword.php
index 6b8153c..8074c32 100644
--- a/includes/user/BotPassword.php
+++ b/includes/user/BotPassword.php
@@ -473,6 +473,10 @@ class BotPassword implements IDBAccessObject {
return Status::newFatal( 'nosuchuser', $name );
}
+ if ( $user->isLocked() ) {
+ return Status::newFatal( 'botpasswords-locked' );
+ }
+
// Throttle
$throttle = null;
if ( !empty( $wgPasswordAttemptThrottle ) ) {
diff --git a/languages/i18n/en.json b/languages/i18n/en.json
index 4befdc5..503ab4b 100644
--- a/languages/i18n/en.json
+++ b/languages/i18n/en.json
@@ -562,6 +562,7 @@
"botpasswords-invalid-name": "The username specified does not contain the bot password separator (\"$1\").",
"botpasswords-not-exist": "User \"$1\" does not have a bot password named \"$2\".",
"botpasswords-needs-reset": "The bot password for bot name \"$2\" of {{GENDER:$1|user}} \"$1\" must be reset.",
+ "botpasswords-locked": "You cannot login with a bot password as your account is locked.",
"resetpass_forbidden": "Passwords cannot be changed",
"resetpass_forbidden-reason": "Passwords cannot be changed: $1",
"resetpass-no-info": "You must be logged in to access this page directly.",
diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json
index 17e26ae..70db8c7 100644
--- a/languages/i18n/qqq.json
+++ b/languages/i18n/qqq.json
@@ -760,6 +760,7 @@
"botpasswords-invalid-name": "Error message when a username lacking the separator character is passed to BotPassword. Parameters:\n* $1 - The separator character.",
"botpasswords-not-exist": "Error message when a username exists but does not a bot password for the given \"bot name\". Parameters:\n* $1 - username\n* $2 - bot name",
"botpasswords-needs-reset": "Error message when a bot password exists but needs to be reset. Parameters:\n* $1 - username\n* $2 - bot name",
+ "botpasswords-locked": "Shown in the event that the underlying account is locked",
"resetpass_forbidden": "Used as error message in changing password. Maybe the external auth plugin won't allow local password changes.",
"resetpass_forbidden-reason": "Like {{msg-mw|resetpass_forbidden}} but the auth provider gave a reason.\n\nParameters:\n* $1 - reason given by auth provider",
"resetpass-no-info": "Error message for [[Special:ChangePassword]].\n\nParameters:\n* $1 (unused) - a link to [[Special:UserLogin]] with {{msg-mw|loginreqlink}} as link description",
--
2.8.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5815855
Default Alt Text
T194605.patch (3 KB)

Event Timeline