From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Wed, 9 May 2018 19:14:38 +0000 (-0400)
Subject: SECURITY: Special:BotPasswords should reauthenticate
X-Git-Tag: 1.34.0-rc.0~5123
X-Git-Url: http://git.cyclocoop.org/%22.%24h.%22?a=commitdiff_plain;h=128f9df2973554531d154ba2d333a570c36d543d;p=lhc%2Fweb%2Fwiklou.git

SECURITY: Special:BotPasswords should reauthenticate

More specifically, it should reauthenticate when creating a bot password
or resetting the password. But we may as well do it for all accesses.

Bug: T193237
Change-Id: I9a38a3109492753fff1f33c0f280e5b0f1fc1a76
---

diff --git a/RELEASE-NOTES-1.32 b/RELEASE-NOTES-1.32
index cdc25827f3..eab76138ba 100644
--- a/RELEASE-NOTES-1.32
+++ b/RELEASE-NOTES-1.32
@@ -25,6 +25,7 @@ production.
   This determines whether to set a cookie when an IP user is blocked. Doing so means
   that a blocked user, even after moving to a new IP address, will still be blocked.
 * The archive table's ar_rev_id field is now unique.
+* Special:BotPasswords now requires reauthentication.
 
 === New features in 1.32 ===
 * (T112474) Generalized the ResourceLoader mechanism for overriding modules
diff --git a/includes/specials/SpecialBotPasswords.php b/includes/specials/SpecialBotPasswords.php
index f03565adef..2d3a0ccbb5 100644
--- a/includes/specials/SpecialBotPasswords.php
+++ b/includes/specials/SpecialBotPasswords.php
@@ -57,6 +57,10 @@ class SpecialBotPasswords extends FormSpecialPage {
 		return $this->getConfig()->get( 'EnableBotPasswords' );
 	}
 
+	protected function getLoginSecurityLevel() {
+		return $this->getName();
+	}
+
 	/**
 	 * Main execution point
 	 * @param string|null $par