From ddb06aa783cca5afdb6b619f9067efb316777485 Mon Sep 17 00:00:00 2001 From: Daimona Eaytoy Date: Sun, 17 Jan 2021 17:16:46 +0100 Subject: [PATCH] SECURITY: Use an anonymous user as creator for autocreations This is saner, and allows consequences such as blocks to go through. Bug: T272244 Change-Id: Ie1f4333d5b1c9d17fb2236fe38a31de427a4cc48 --- includes/AbuseFilterPreAuthenticationProvider.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/includes/AbuseFilterPreAuthenticationProvider.php b/includes/AbuseFilterPreAuthenticationProvider.php index e4b6f06e3..7aec5421f 100644 --- a/includes/AbuseFilterPreAuthenticationProvider.php +++ b/includes/AbuseFilterPreAuthenticationProvider.php @@ -29,14 +29,15 @@ class AbuseFilterPreAuthenticationProvider extends AbstractPreAuthenticationProv public function testUserForCreation( $user, $autocreate, array $options = [] ) { // if this is not an autocreation, testForAccountCreation already handled it if ( $autocreate ) { - return $this->testUser( $user, $user, true ); + // FIXME Using the constructor directly here a bit hacky but needed for T272244 + return $this->testUser( $user, new User, true ); } return StatusValue::newGood(); } /** * @param User $user The user being created or autocreated - * @param User $creator The user who caused $user to be created (or $user itself on autocreation) + * @param User $creator The user who caused $user to be created (can be anonymous) * @param bool $autocreate Is this an autocreation? * @return StatusValue */