From: Chad Horohoe <chadh@wikimedia.org>
Date: Tue, 13 Mar 2018 18:43:30 +0000 (+0000)
Subject: SECURITY: Make 'newbie' limit in $wgRateLimits really override 'user' limit
X-Git-Tag: 1.34.0-rc.0~4041
X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=commitdiff_plain;h=befd48c5f7d3d073de96c87375d7380f6187deb6

SECURITY: Make 'newbie' limit in $wgRateLimits really override 'user' limit

The order of operations was incorrect.

Bug: T169545
Change-Id: Ia910aa2a494914d3b0017daac9ab294ea9fa8705
---

diff --git a/includes/user/User.php b/includes/user/User.php
index d6d4db25f3..84b95b4c33 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -2165,10 +2165,6 @@ class User implements IDBAccessObject, UserIdentity {
 			if ( isset( $limits['user'] ) ) {
 				$userLimit = $limits['user'];
 			}
-			// limits for newbie logged-in users
-			if ( $isNewbie && isset( $limits['newbie'] ) ) {
-				$keys[$cache->makeKey( 'limiter', $action, 'user', $id )] = $limits['newbie'];
-			}
 		}
 
 		// limits for anons and for newbie logged-in users
@@ -2200,6 +2196,11 @@ class User implements IDBAccessObject, UserIdentity {
 			}
 		}
 
+		// limits for newbie logged-in users (override all the normal user limits)
+		if ( $id !== 0 && $isNewbie && isset( $limits['newbie'] ) ) {
+			$userLimit = $limits['newbie'];
+		}
+
 		// Set the user limit key
 		if ( $userLimit !== false ) {
 			list( $max, $period ) = $userLimit;