SECURITY: Special:BotPasswords should reauthenticate

More specifically, it should reauthenticate when creating a bot password
or resetting the password. But we may as well do it for all accesses.

Bug: T194237
Change-Id: I9a38a3109492753fff1f33c0f280e5b0f1fc1a76

diff --git a/RELEASE-NOTES-1.31 b/RELEASE-NOTES-1.31
index 9d8f387..60b6c27 100644 (file)
--- a/RELEASE-NOTES-1.31
+++ b/RELEASE-NOTES-1.31
@@ -1,11 +1,16 @@
-== MediaWiki 1.31 ==
+== MediaWiki 1.31.1 ==
 
 THIS IS NOT A RELEASE YET!
 
+This is a security and maintenance release of the MediaWiki 1.31 branch.
+
 === Changes since MediaWiki 1.31.0 ===
 * (T197229) Bundle Nuke extension, it was accidentally omitted.
 * (T193995) Fix undefined patchPath() method call in parser tests.
 * (T198687) Fix various selectFields methods to use the string 'NULL', not null.
+* Special:BotPasswords now requires reauthentication.
+
+== MediaWiki 1.31 ==
 
 === Changes since MediaWiki 1.31.0-rc.2 ===
 * (T195783) Initialize PSR-4 namespaces at same stage as normal autoloader.

diff --git a/includes/specials/SpecialBotPasswords.php b/includes/specials/SpecialBotPasswords.php
index f76c318..c912e83 100644 (file)
--- a/includes/specials/SpecialBotPasswords.php
+++ b/includes/specials/SpecialBotPasswords.php
@@ -51,6 +51,10 @@ class SpecialBotPasswords extends FormSpecialPage {
                return $this->getConfig()->get( 'EnableBotPasswords' );
        }
 
+       protected function getLoginSecurityLevel() {
+               return $this->getName();
+       }
+
        /**
         * Main execution point
         * @param string|null $par