SECURITY: Make blocks log users out if $wgBlockDisablesLogin

Issue originally reported by Multichill

Bug: T129738
Change-Id: Iddc58e504297c60f6d3ca99f21034fe7c5cf9801

diff --git a/includes/Block.php b/includes/Block.php
index 93df004..bcbf494 100644 (file)
--- a/includes/Block.php
+++ b/includes/Block.php
@@ -457,6 +457,7 @@ class Block {
         *      ('id' => block ID, 'autoIds' => array of autoblock IDs)
         */
        public function insert( $dbw = null ) {
+               global $wgBlockDisablesLogin;
                wfDebug( "Block::insert; timestamp {$this->mTimestamp}\n" );
 
                if ( $dbw === null ) {
@@ -499,6 +500,13 @@ class Block {
 
                if ( $affected ) {
                        $auto_ipd_ids = $this->doRetroactiveAutoblock();
+
+                       if ( $wgBlockDisablesLogin && $this->target instanceof User ) {
+                               // Change user login token to force them to be logged out.
+                               $this->target->setToken();
+                               $this->target->saveSettings();
+                       }
+
                        return [ 'id' => $this->mId, 'autoIds' => $auto_ipd_ids ];
                }