dépôts / lhc / web / wiklou.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
SECURITY: rate-limit and prevent blocked users from changing email
[lhc/web/wiklou.git] / includes / api / ApiUserrights.php
diff --git a/includes/api/ApiUserrights.php b/includes/api/ApiUserrights.php
index e251fe6..acb3da8 100644 (file)
--- a/includes/api/ApiUserrights.php
+++ b/includes/api/ApiUserrights.php
@@ -51,8 +51,13 @@ class ApiUserrights extends ApiBase {
 
                // Deny if the user is blocked and doesn't have the full 'userrights' permission.
                // This matches what Special:UserRights does for the web UI.
-               if ( $pUser->isBlocked() && !$pUser->isAllowed( 'userrights' ) ) {
-                       $this->dieBlocked( $pUser->getBlock() );
+               if ( !$pUser->isAllowed( 'userrights' ) ) {
+                       // @TODO Should the user be blocked from changing user rights if they
+                       //       are partially blocked?
+                       $block = $pUser->getBlock();
+                       if ( $block ) {
+                               $this->dieBlocked( $block );
+                       }
                }
 
                $params = $this->extractRequestParams();
Wiklou, le Wiki du Wiklou