SECURITY: Do not allow botpassword login if account locked.

[lhc/web/wiklou.git] / includes / api / ApiLogin.php

diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 0248f25..14491da 100644 (file)
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -132,7 +132,8 @@ class ApiLogin extends ApiBase {
                                $loginType = 'BotPassword';
                        } elseif ( !$botLoginData[2] ||
                                $status->hasMessage( 'login-throttled' ) ||
-                               $status->hasMessage( 'botpasswords-needs-reset' )
+                               $status->hasMessage( 'botpasswords-needs-reset' ) ||
+                               $status->hasMessage( 'botpasswords-locked' )
                        ) {
                                $authRes = 'Failed';
                                $message = $status->getMessage();