SECURITY: Do not allow botpassword login if account locked.

[lhc/web/wiklou.git] / includes / api / ApiLogin.php

diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 9636789..14491da 100644 (file)
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -1,9 +1,5 @@
 <?php
 /**
- *
- *
- * Created on Sep 19, 2006
- *
  * Copyright © 2006-2007 Yuri Astrakhan "<Firstname><Lastname>@gmail.com",
  * Daniel Cannon (cannon dot danielc at gmail dot com)
  *
@@ -134,7 +130,11 @@ class ApiLogin extends ApiBase {
                                $session = $status->getValue();
                                $authRes = 'Success';
                                $loginType = 'BotPassword';
-                       } elseif ( !$botLoginData[2] || $status->hasMessage( 'login-throttled' ) ) {
+                       } elseif ( !$botLoginData[2] ||
+                               $status->hasMessage( 'login-throttled' ) ||
+                               $status->hasMessage( 'botpasswords-needs-reset' ) ||
+                               $status->hasMessage( 'botpasswords-locked' )
+                       ) {
                                $authRes = 'Failed';
                                $message = $status->getMessage();
                                LoggerFactory::getInstance( 'authentication' )->info(