From 6acd424e0dbc322e8b9a141bd2625453c1b9b6f1 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Sun, 31 Jan 2016 15:48:23 -0500
Subject: [PATCH] SessionManager: Notify AuthPlugin before calling hooks

This avoids a race in CentralAuth:
* The user doesn't exist locally, so CA wants to create it
* Auto-creation adds the user to the database
* A hook function tries to access the session; now the user does exist
  locally but isn't yet attached, so CA rejects the session.

Bug: T125283
Change-Id: I6024885e3cf9c85c527fc160577f66ff97451c98
---
 includes/session/SessionManager.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/includes/session/SessionManager.php b/includes/session/SessionManager.php
index 6b221fd1be..4b38a5c318 100644
--- a/includes/session/SessionManager.php
+++ b/includes/session/SessionManager.php
@@ -501,11 +501,7 @@ final class SessionManager implements SessionManagerInterface {
 			// @codeCoverageIgnoreEnd
 		}
 
-		# Notify hooks (e.g. Newuserlog)
-		\Hooks::run( 'AuthPluginAutoCreate', array( $user ) );
-		\Hooks::run( 'LocalUserCreated', array( $user, true ) );
-
-		# Notify AuthPlugin too
+		# Notify AuthPlugin
 		$tmpUser = $user;
 		$wgAuth->initUser( $tmpUser, true );
 		if ( $tmpUser !== $user ) {
@@ -513,6 +509,10 @@ final class SessionManager implements SessionManagerInterface {
 				get_class( $wgAuth ) . '::initUser() replaced the user object' );
 		}
 
+		# Notify hooks (e.g. Newuserlog)
+		\Hooks::run( 'AuthPluginAutoCreate', array( $user ) );
+		\Hooks::run( 'LocalUserCreated', array( $user, true ) );
+
 		$user->saveSettings();
 
 		# Update user count
-- 
2.20.1