SECURITY: Do not allow botpassword login if account locked.

Reported by Rxy

Bug: T194605
Change-Id: Ib41005e69ab4db6f849837de12f0d41398b58f9a

diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 0248f25..14491da 100644 (file)
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -132,7 +132,8 @@ class ApiLogin extends ApiBase {
                                $loginType = 'BotPassword';
                        } elseif ( !$botLoginData[2] ||
                                $status->hasMessage( 'login-throttled' ) ||
-                               $status->hasMessage( 'botpasswords-needs-reset' )
+                               $status->hasMessage( 'botpasswords-needs-reset' ) ||
+                               $status->hasMessage( 'botpasswords-locked' )
                        ) {
                                $authRes = 'Failed';
                                $message = $status->getMessage();

diff --git a/includes/user/BotPassword.php b/includes/user/BotPassword.php
index 6b8153c..8074c32 100644 (file)
--- a/includes/user/BotPassword.php
+++ b/includes/user/BotPassword.php
@@ -473,6 +473,10 @@ class BotPassword implements IDBAccessObject {
                        return Status::newFatal( 'nosuchuser', $name );
                }
 
+               if ( $user->isLocked() ) {
+                       return Status::newFatal( 'botpasswords-locked' );
+               }
+
                // Throttle
                $throttle = null;
                if ( !empty( $wgPasswordAttemptThrottle ) ) {

diff --git a/languages/i18n/en.json b/languages/i18n/en.json
index 331dabe..7374f38 100644 (file)
--- a/languages/i18n/en.json
+++ b/languages/i18n/en.json
@@ -562,6 +562,7 @@
        "botpasswords-invalid-name": "The username specified does not contain the bot password separator (\"$1\").",
        "botpasswords-not-exist": "User \"$1\" does not have a bot password named \"$2\".",
        "botpasswords-needs-reset": "The bot password for bot name \"$2\" of {{GENDER:$1|user}} \"$1\" must be reset.",
+       "botpasswords-locked": "You cannot login with a bot password as your account is locked.",
        "resetpass_forbidden": "Passwords cannot be changed",
        "resetpass_forbidden-reason": "Passwords cannot be changed: $1",
        "resetpass-no-info": "You must be logged in to access this page directly.",

diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json
index a4927b6..760d37d 100644 (file)
--- a/languages/i18n/qqq.json
+++ b/languages/i18n/qqq.json
@@ -759,6 +759,7 @@
        "botpasswords-invalid-name": "Error message when a username lacking the separator character is passed to BotPassword. Parameters:\n* $1 - The separator character.",
        "botpasswords-not-exist": "Error message when a username exists but does not a bot password for the given \"bot name\". Parameters:\n* $1 - username\n* $2 - bot name",
        "botpasswords-needs-reset": "Error message when a bot password exists but needs to be reset. Parameters:\n* $1 - username\n* $2 - bot name",
+       "botpasswords-locked": "Shown in the event that the underlying account is locked",
        "resetpass_forbidden": "Used as error message in changing password. Maybe the external auth plugin won't allow local password changes.",
        "resetpass_forbidden-reason": "Like {{msg-mw|resetpass_forbidden}} but the auth provider gave a reason.\n\nParameters:\n* $1 - reason given by auth provider",
        "resetpass-no-info": "Error message for [[Special:ChangePassword]].\n\nParameters:\n* $1 (unused) - a link to [[Special:UserLogin]] with {{msg-mw|loginreqlink}} as link description",