From fe7ffa24f5228ac2a58689bef8c9e1c5bf6838ee Mon Sep 17 00:00:00 2001
From: =?utf8?q?Gerg=C5=91=20Tisza?= <tgr.huwiki@gmail.com>
Date: Thu, 21 Mar 2019 09:00:49 -0700
Subject: [PATCH] Rearrange code in User::getBlockedStatus to avoid isAllowed
 calls

User::isAllowed() triggers session loading, which results in a loop
if it is called during session loading. Session providers need to
check block status when $wgBlockDisablesLogin is enabled, so try to
avoid isAllowed calls in that situation.

Bug: T218608
Change-Id: Iab24923c613d6aeed4b574f587fc4cee8f33077c
---
 RELEASE-NOTES-1.31     |  2 ++
 includes/user/User.php | 18 ++++++++----------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/RELEASE-NOTES-1.31 b/RELEASE-NOTES-1.31
index 9795e8b36e..5eacf552a8 100644
--- a/RELEASE-NOTES-1.31
+++ b/RELEASE-NOTES-1.31
@@ -60,6 +60,8 @@ THIS IS NOT A RELEASE YET
 * (T215169) Fix for Database::update() with IGNORE option fails on PostgreSQL.
 * (T204423) Backport support for hyphenated DB names in JobQueueGroup.
 * (T199474) Fix typo in rebuildrecentchanges.php resulting in rogue flags.
+* (T218608) Fix an issue that prevents Extension:OAuth working when
+  $wgBlockDisablesLogin is true.
 
 == MediaWiki 1.31.1 ==
 
diff --git a/includes/user/User.php b/includes/user/User.php
index 86bb27bcdf..464629a4e1 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -1794,16 +1794,14 @@ class User implements IDBAccessObject, UserIdentity {
 		# user is not immune to autoblocks/hardblocks, and they are the current user so we
 		# know which IP address they're actually coming from
 		$ip = null;
-		if ( !$this->isAllowed( 'ipblock-exempt' ) ) {
-			$sessionUser = RequestContext::getMain()->getUser();
-			// the session user is set up towards the end of Setup.php. Until then,
-			// assume it's a logged-out user.
-			$globalUserName = $sessionUser->isSafeToLoad()
-				? $sessionUser->getName()
-				: IP::sanitizeIP( $sessionUser->getRequest()->getIP() );
-			if ( $this->getName() === $globalUserName ) {
-				$ip = $this->getRequest()->getIP();
-			}
+		$sessionUser = RequestContext::getMain()->getUser();
+		// the session user is set up towards the end of Setup.php. Until then,
+		// assume it's a logged-out user.
+		$globalUserName = $sessionUser->isSafeToLoad()
+			? $sessionUser->getName()
+			: IP::sanitizeIP( $sessionUser->getRequest()->getIP() );
+		if ( $this->getName() === $globalUserName && !$this->isAllowed( 'ipblock-exempt' ) ) {
+			$ip = $this->getRequest()->getIP();
 		}
 
 		// User/IP blocking
-- 
2.20.1