From 677c66b31ecfadc48733396ed7c729847875fe21 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Sun, 10 Jul 2016 09:09:43 -0400
Subject: [PATCH] AuthManager: Break AuthPlugin::addUser more explicitly

AuthPlugin::addUser() is intended to only touch the external database
without creating a local user, which isn't possible under AuthManager
without reproducing too much of AuthManager's account creation methods
(and risking breaking things in even more obscure ways) to be
worthwhile.

As it is, either this will fail because the caller already called
User::addToDatabase() or the caller's subsequent User::addToDatabase()
call will fail because we're creating the local user.

So instead, let's just throw an exception unconditionally instead of
pretending it could work.

Bug: T137843
Change-Id: I8a439ea190c752a7fc49de5617e2c64c314c38f0
---
 includes/auth/AuthManagerAuthPlugin.php | 36 +++++--------------------
 1 file changed, 7 insertions(+), 29 deletions(-)

diff --git a/includes/auth/AuthManagerAuthPlugin.php b/includes/auth/AuthManagerAuthPlugin.php
index 8d85b4411d..884585829d 100644
--- a/includes/auth/AuthManagerAuthPlugin.php
+++ b/includes/auth/AuthManagerAuthPlugin.php
@@ -161,35 +161,13 @@ class AuthManagerAuthPlugin extends \AuthPlugin {
 	}
 
 	public function addUser( $user, $password, $email = '', $realname = '' ) {
-		global $wgUser;
-
-		$data = [
-			'username' => $user->getName(),
-			'password' => $password,
-			'retype' => $password,
-			'email' => $email,
-			'realname' => $realname,
-		];
-		if ( $this->domain !== null && $this->domain !== '' ) {
-			$data['domain'] = $this->domain;
-		}
-		$reqs = AuthManager::singleton()->getAuthenticationRequests( AuthManager::ACTION_CREATE );
-		$reqs = AuthenticationRequest::loadRequestsFromSubmission( $reqs, $data );
-
-		$res = AuthManager::singleton()->beginAccountCreation( $wgUser, $reqs, 'null:' );
-		switch ( $res->status ) {
-			case AuthenticationResponse::PASS:
-				return true;
-			case AuthenticationResponse::FAIL:
-				// Hope it's not a PreAuthenticationProvider that failed...
-				$msg = $res->message instanceof \Message ? $res->message : new \Message( $res->message );
-				$this->logger->info( __METHOD__ . ': Authentication failed: ' . $msg->plain() );
-				return false;
-			default:
-				throw new \BadMethodCallException(
-					'AuthManager does not support such simplified account creation'
-				);
-		}
+		throw new \BadMethodCallException(
+			'Creation of users via AuthPlugin is not supported with '
+			. 'AuthManager. Generally, user creation should be left to either '
+			. 'Special:CreateAccount, auto-creation when triggered by a '
+			. 'SessionProvider or PrimaryAuthenticationProvider, or '
+			. 'User::newSystemUser().'
+		);
 	}
 
 	public function strict() {
-- 
2.20.1