Skip auth checks when autocreate is allowed by provider

Session providers can provide a `canAlwaysAutocreate` flag which indicates account creation is exempt from autocreate permission checks. This is used, for example, for providers that provide users for supporting applications in a wiki farm. Check the flag and exempt the auto creation from abuse filter checks as well. Bug: T373778 Change-Id: Id89358930b92cb8dd05c2b031e764412ee641269
2024-09-23 10:18:22 +00:00 · 2024-09-05 07:25:35 -07:00 · 2024-09-05 07:25:35 -07:00 · 65c10f5fa0
parent db67b31db2
commit 65c10f5fa0
1 changed files with 1 additions and 1 deletions
--- a/includes/AbuseFilterPreAuthenticationProvider.php
+++ b/includes/AbuseFilterPreAuthenticationProvider.php
@ -61,7 +61,7 @@ class AbuseFilterPreAuthenticationProvider extends AbstractPreAuthenticationProv
 	 */
 	public function testUserForCreation( $user, $autocreate, array $options = [] ): StatusValue {
 		// if this is not an autocreation, testForAccountCreation already handled it
-		if ( $autocreate ) {
+		if ( $autocreate && !( $options['canAlwaysAutocreate'] ?? false ) ) {
 			// Make sure to use an anon as the creator, see T272244
 			return $this->testUser( $user, $this->userFactory->newAnonymous(), true );
 		}