SessionManager: Notify AuthPlugin before calling hooks

This avoids a race in CentralAuth:
* The user doesn't exist locally, so CA wants to create it
* Auto-creation adds the user to the database
* A hook function tries to access the session; now the user does exist
  locally but isn't yet attached, so CA rejects the session.

Bug: T125283
Change-Id: I6024885e3cf9c85c527fc160577f66ff97451c98

diff --git a/includes/session/SessionManager.php b/includes/session/SessionManager.php
index 6b221fd..4b38a5c 100644 (file)
--- a/includes/session/SessionManager.php
+++ b/includes/session/SessionManager.php
@@ -501,11 +501,7 @@ final class SessionManager implements SessionManagerInterface {
                        // @codeCoverageIgnoreEnd
                }
 
-               # Notify hooks (e.g. Newuserlog)
-               \Hooks::run( 'AuthPluginAutoCreate', array( $user ) );
-               \Hooks::run( 'LocalUserCreated', array( $user, true ) );
-
-               # Notify AuthPlugin too
+               # Notify AuthPlugin
                $tmpUser = $user;
                $wgAuth->initUser( $tmpUser, true );
                if ( $tmpUser !== $user ) {
@@ -513,6 +509,10 @@ final class SessionManager implements SessionManagerInterface {
                                get_class( $wgAuth ) . '::initUser() replaced the user object' );
                }
 
+               # Notify hooks (e.g. Newuserlog)
+               \Hooks::run( 'AuthPluginAutoCreate', array( $user ) );
+               \Hooks::run( 'LocalUserCreated', array( $user, true ) );
+
                $user->saveSettings();
 
                # Update user count