HomePhabricator

Use correct user for isUsableBy check in Special:OAuth/identify

Authored by Anomie on Oct 26 2016, 2:21 PM.

Description

Use correct user for isUsableBy check in Special:OAuth/identify

The special page's $this->getUser() comes from the normal
CookieSessionProvider cookies (or other non-OAuth mechanism), not the
OAuth headers that are being validated here for use by the /identify
endpoint.

We need to use the user associated with the MWOAuthConsumerAcceptance
instead for proper operation.

Bug: T149194
Change-Id: I0a9f78c4fe7e592a3dbbf084858ba9942a8fac38
(cherry picked from commit rEOAU5ec60f469f1c)

Details

Committed
TgrOct 27 2016, 11:13 PM
Parents
rEOAU40e817b969d6: SECURITY: check stage and user blocked/locked status in /identify
Branches
Unknown
Tags
Unknown
References
REL1_27
ChangeId
I0a9f78c4fe7e592a3dbbf084858ba9942a8fac38