wikimedia/mediawiki-extensions-OATHAuth
1
0
Fork 0
mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/OATHAuth synced 2024-09-23 10:23:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Allow privileged accounts to use action=query&meta=oath

Browse source 
Since T209749, privileged users have an UI to query 2FA status.
We should allow them to do the same thing via the API as well.

Bug: T250901
Change-Id: I28720c762ca595c0ab83aa400f0a593ed6a9285e
This commit is contained in:
Martin Urbanec 2020-04-22 12:04:57 +02:00
parent 8774167f97
commit 446f013c65
3 changed files with 29 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
i18n/api/en.json
View file

@ -12,6 +12,7 @@
"apihelp-query+oath-description": "Check to see if two-factor authentication (OATH) is enabled for a user.",
"apihelp-query+oath-summary": "Check to see if two-factor authentication (OATH) is enabled for a user.",
"apihelp-query+oath-param-user": "User to get information about. Defaults to the current user.",
"apihelp-query+oath-param-reason": "Reason for querying the OATH status.",
"apihelp-query+oath-example-1": "Get information about the current user",
"apihelp-query+oath-example-2": "Get information about user <kbd>Example</kbd>",
"apihelp-oathvalidate-description": "Validate a two-factor authentication (OATH) token.",

1
i18n/api/qqq.json
View file

@ -16,6 +16,7 @@
"apihelp-query+oath-description": "{{doc-apihelp-description|query+oath}}",
"apihelp-query+oath-summary": "{{doc-apihelp-summary|query+oath}}",
"apihelp-query+oath-param-user": "{{doc-apihelp-param|query+oath|user}}",
"apihelp-query+oath-param-reason": "{{doc-apihelp-param|query+oath|reason}}",
"apihelp-query+oath-example-1": "{{doc-apihelp-example|query+oath}}",
"apihelp-query+oath-example-2": "{{doc-apihelp-example|query+oath}}",
"apihelp-oathvalidate-description": "{{doc-apihelp-description|oathvalidate}}",

30
src/Api/Module/ApiQueryOATH.php
View file

@ -18,12 +18,13 @@
namespace MediaWiki\Extension\OATHAuth\Api\Module;
use ApiBase;
use ApiQuery;
use ApiQueryBase;
use ApiResult;
use ManualLogEntry;
use MediaWiki\MediaWikiServices;
use User;
use Wikimedia\ParamValidator\ParamValidator;
/**
* Query module to check if a user has OATH authentication enabled.
@ -50,7 +51,18 @@ class ApiQueryOATH extends ApiQueryBase {
$params['user'] = $this->getUser()->getName();
}
$this->checkUserRightsAny( 'oathauth-api-all' );
$this->checkUserRightsAny( [ 'oathauth-api-all', 'oathauth-verify-user' ] );
$hasOAthauthApiAll = $this->getPermissionManager()
->userHasRight(
$this->getUser(),
'oathauth-api-all'
);
$reasonProvided = $params['reason'] !== null && $params['reason'] !== '';
if ( !$hasOAthauthApiAll && !$reasonProvided ) {
$this->dieWithError( [ 'apierror-missingparam', 'reason' ] );
}
$user = User::newFromName( $params['user'] );
if ( $user === false ) {
@ -69,6 +81,15 @@ class ApiQueryOATH extends ApiQueryBase {
$data['enabled'] = $authUser &&
$authUser->getModule() !== null &&
$authUser->getModule()->isEnabled( $authUser );
// Log if the user doesn't have oathauth-api-all or if a reason is provided
if ( !$hasOAthauthApiAll || $reasonProvided ) {
$logEntry = new ManualLogEntry( 'oath', 'verify' );
$logEntry->setPerformer( $this->getUser() );
$logEntry->setTarget( $user->getUserPage() );
$logEntry->setComment( $params['reason'] );
$logEntry->insert();
}
}
$result->addValue( 'query', $this->getModuleName(), $data );
}
@ -92,7 +113,10 @@ class ApiQueryOATH extends ApiQueryBase {
public function getAllowedParams() {
return [
'user' => [
ApiBase::PARAM_TYPE => 'user',
ParamValidator::PARAM_TYPE => 'user',
],
'reason' => [
ParamValidator::PARAM_TYPE => 'string',
],
];
}