From 6a4b8043d45011c195031d57629af407e62bfa98 Mon Sep 17 00:00:00 2001
From: Andrew H <crazy4sb@gmail.com>
Date: Mon, 21 Dec 2015 20:17:40 +0000
Subject: [PATCH] Prevent blocked users from changing user rights through the
 API

Prevent blocked users only if they do not have full userrights privleges,
which is the same behavior as implemented in Special:UserRights.

Change-Id: I69557b0951c8fb8b4e7d3ba571b0e5d30782ab4c
---
 includes/api/ApiUserrights.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/includes/api/ApiUserrights.php b/includes/api/ApiUserrights.php
index 3ccdde252f..e32b612369 100644
--- a/includes/api/ApiUserrights.php
+++ b/includes/api/ApiUserrights.php
@@ -49,6 +49,14 @@ class ApiUserrights extends ApiBase {
 	}
 
 	public function execute() {
+		$pUser = $this->getUser();
+
+		// Deny if the user is blocked and doesn't have the full 'userrights' permission.
+		// This matches what Special:UserRights does for the web UI.
+		if ( $pUser->isBlocked() && !$pUser->isAllowed( 'userrights' ) ) {
+			$this->dieBlocked( $pUser->getBlock() );
+		}
+
 		$params = $this->extractRequestParams();
 
 		$user = $this->getUrUser( $params );
-- 
2.20.1