SECURITY: Fix User::setToken() call on User::newSystemUser

This was supposed to reset the user token but did set it to '1'
because User::setToken accepts bool/string but only treats true
as bool.

Bug: T125161
Change-Id: Ia4196eba92cd4d170a3023db0f540a2972ffad4f

diff --git a/includes/session/SessionManager.php b/includes/session/SessionManager.php
index 0441137..6b221fd 100644 (file)
--- a/includes/session/SessionManager.php
+++ b/includes/session/SessionManager.php
@@ -539,7 +539,7 @@ final class SessionManager implements SessionManagerInterface {
                // Reset the user's token to kill existing sessions
                $user = User::newFromName( $username );
                if ( $user && $user->getToken( false ) ) {
-                       $user->setToken( true );
+                       $user->setToken();
                        $user->saveSettings();
                }