mirror of
https://gerrit.wikimedia.org/r/mediawiki/extensions/OATHAuth
synced 2024-11-24 08:14:15 +00:00
Merge "Allow privileged accounts to use action=query&meta=oath"
This commit is contained in:
jenkins-bot
Gerrit Code Review
commit
7d13959016
|
|
@ -12,6 +12,7 @@
|
|||
"apihelp-query+oath-description": "Check to see if two-factor authentication (OATH) is enabled for a user.",
|
||||
"apihelp-query+oath-summary": "Check to see if two-factor authentication (OATH) is enabled for a user.",
|
||||
"apihelp-query+oath-param-user": "User to get information about. Defaults to the current user.",
|
||||
"apihelp-query+oath-param-reason": "Reason for querying the OATH status.",
|
||||
"apihelp-query+oath-example-1": "Get information about the current user",
|
||||
"apihelp-query+oath-example-2": "Get information about user <kbd>Example</kbd>",
|
||||
"apihelp-oathvalidate-description": "Validate a two-factor authentication (OATH) token.",
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@
|
|||
"apihelp-query+oath-description": "{{doc-apihelp-description|query+oath}}",
|
||||
"apihelp-query+oath-summary": "{{doc-apihelp-summary|query+oath}}",
|
||||
"apihelp-query+oath-param-user": "{{doc-apihelp-param|query+oath|user}}",
|
||||
"apihelp-query+oath-param-reason": "{{doc-apihelp-param|query+oath|reason}}",
|
||||
"apihelp-query+oath-example-1": "{{doc-apihelp-example|query+oath}}",
|
||||
"apihelp-query+oath-example-2": "{{doc-apihelp-example|query+oath}}",
|
||||
"apihelp-oathvalidate-description": "{{doc-apihelp-description|oathvalidate}}",
|
||||
|
|
|
|||
|
|
@ -18,12 +18,13 @@
|
|||
|
||||
namespace MediaWiki\Extension\OATHAuth\Api\Module;
|
||||
|
||||
use ApiBase;
|
||||
use ApiQuery;
|
||||
use ApiQueryBase;
|
||||
use ApiResult;
|
||||
use ManualLogEntry;
|
||||
use MediaWiki\MediaWikiServices;
|
||||
use User;
|
||||
use Wikimedia\ParamValidator\ParamValidator;
|
||||
|
||||
/**
|
||||
* Query module to check if a user has OATH authentication enabled.
|
||||
|
|
@ -50,7 +51,18 @@ class ApiQueryOATH extends ApiQueryBase {
|
|||
$params['user'] = $this->getUser()->getName();
|
||||
}
|
||||
|
||||
$this->checkUserRightsAny( 'oathauth-api-all' );
|
||||
$this->checkUserRightsAny( [ 'oathauth-api-all', 'oathauth-verify-user' ] );
|
||||
|
||||
$hasOAthauthApiAll = $this->getPermissionManager()
|
||||
->userHasRight(
|
||||
$this->getUser(),
|
||||
'oathauth-api-all'
|
||||
);
|
||||
|
||||
$reasonProvided = $params['reason'] !== null && $params['reason'] !== '';
|
||||
if ( !$hasOAthauthApiAll && !$reasonProvided ) {
|
||||
$this->dieWithError( [ 'apierror-missingparam', 'reason' ] );
|
||||
}
|
||||
|
||||
$user = User::newFromName( $params['user'] );
|
||||
if ( $user === false ) {
|
||||
|
|
@ -69,6 +81,15 @@ class ApiQueryOATH extends ApiQueryBase {
|
|||
$data['enabled'] = $authUser &&
|
||||
$authUser->getModule() !== null &&
|
||||
$authUser->getModule()->isEnabled( $authUser );
|
||||
|
||||
// Log if the user doesn't have oathauth-api-all or if a reason is provided
|
||||
if ( !$hasOAthauthApiAll || $reasonProvided ) {
|
||||
$logEntry = new ManualLogEntry( 'oath', 'verify' );
|
||||
$logEntry->setPerformer( $this->getUser() );
|
||||
$logEntry->setTarget( $user->getUserPage() );
|
||||
$logEntry->setComment( $params['reason'] );
|
||||
$logEntry->insert();
|
||||
}
|
||||
}
|
||||
$result->addValue( 'query', $this->getModuleName(), $data );
|
||||
}
|
||||
|
|
@ -92,7 +113,10 @@ class ApiQueryOATH extends ApiQueryBase {
|
|||
public function getAllowedParams() {
|
||||
return [
|
||||
'user' => [
|
||||
ApiBase::PARAM_TYPE => 'user',
|
||||
ParamValidator::PARAM_TYPE => 'user',
|
||||
],
|
||||
'reason' => [
|
||||
ParamValidator::PARAM_TYPE => 'string',
|
||||
],
|
||||
];
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue