From: Brian Wolff Date: Sun, 13 May 2018 19:37:09 +0000 (+0000) Subject: SECURITY: Do not allow botpassword login if account locked. X-Git-Tag: 1.31.1~2 X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=commitdiff_plain;h=6f98988380f39fb8684dbd020cdebedf18cfcaa8 SECURITY: Do not allow botpassword login if account locked. Reported by Rxy Bug: T194605 Change-Id: Ib41005e69ab4db6f849837de12f0d41398b58f9a --- diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php index 0248f25ef6..14491da19f 100644 --- a/includes/api/ApiLogin.php +++ b/includes/api/ApiLogin.php @@ -132,7 +132,8 @@ class ApiLogin extends ApiBase { $loginType = 'BotPassword'; } elseif ( !$botLoginData[2] || $status->hasMessage( 'login-throttled' ) || - $status->hasMessage( 'botpasswords-needs-reset' ) + $status->hasMessage( 'botpasswords-needs-reset' ) || + $status->hasMessage( 'botpasswords-locked' ) ) { $authRes = 'Failed'; $message = $status->getMessage(); diff --git a/includes/user/BotPassword.php b/includes/user/BotPassword.php index 6b8153cde4..8074c328f2 100644 --- a/includes/user/BotPassword.php +++ b/includes/user/BotPassword.php @@ -473,6 +473,10 @@ class BotPassword implements IDBAccessObject { return Status::newFatal( 'nosuchuser', $name ); } + if ( $user->isLocked() ) { + return Status::newFatal( 'botpasswords-locked' ); + } + // Throttle $throttle = null; if ( !empty( $wgPasswordAttemptThrottle ) ) { diff --git a/languages/i18n/en.json b/languages/i18n/en.json index 331dabedf7..7374f38ce1 100644 --- a/languages/i18n/en.json +++ b/languages/i18n/en.json @@ -562,6 +562,7 @@ "botpasswords-invalid-name": "The username specified does not contain the bot password separator (\"$1\").", "botpasswords-not-exist": "User \"$1\" does not have a bot password named \"$2\".", "botpasswords-needs-reset": "The bot password for bot name \"$2\" of {{GENDER:$1|user}} \"$1\" must be reset.", + "botpasswords-locked": "You cannot login with a bot password as your account is locked.", "resetpass_forbidden": "Passwords cannot be changed", "resetpass_forbidden-reason": "Passwords cannot be changed: $1", "resetpass-no-info": "You must be logged in to access this page directly.", diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json index a4927b64b1..760d37dd1f 100644 --- a/languages/i18n/qqq.json +++ b/languages/i18n/qqq.json @@ -759,6 +759,7 @@ "botpasswords-invalid-name": "Error message when a username lacking the separator character is passed to BotPassword. Parameters:\n* $1 - The separator character.", "botpasswords-not-exist": "Error message when a username exists but does not a bot password for the given \"bot name\". Parameters:\n* $1 - username\n* $2 - bot name", "botpasswords-needs-reset": "Error message when a bot password exists but needs to be reset. Parameters:\n* $1 - username\n* $2 - bot name", + "botpasswords-locked": "Shown in the event that the underlying account is locked", "resetpass_forbidden": "Used as error message in changing password. Maybe the external auth plugin won't allow local password changes.", "resetpass_forbidden-reason": "Like {{msg-mw|resetpass_forbidden}} but the auth provider gave a reason.\n\nParameters:\n* $1 - reason given by auth provider", "resetpass-no-info": "Error message for [[Special:ChangePassword]].\n\nParameters:\n* $1 (unused) - a link to [[Special:UserLogin]] with {{msg-mw|loginreqlink}} as link description",