From: Andrew H <crazy4sb@gmail.com>
Date: Mon, 21 Dec 2015 20:17:40 +0000 (+0000)
Subject: Prevent blocked users from changing user rights through the API
X-Git-Tag: 1.31.0-rc.0~8569^2
X-Git-Url: https://git.cyclocoop.org/%27.WWW_URL.%27admin/?a=commitdiff_plain;h=6a4b8043d45011c195031d57629af407e62bfa98;p=lhc%2Fweb%2Fwiklou.git

Prevent blocked users from changing user rights through the API

Prevent blocked users only if they do not have full userrights privleges,
which is the same behavior as implemented in Special:UserRights.

Change-Id: I69557b0951c8fb8b4e7d3ba571b0e5d30782ab4c
---

diff --git a/includes/api/ApiUserrights.php b/includes/api/ApiUserrights.php
index 3ccdde252f..e32b612369 100644
--- a/includes/api/ApiUserrights.php
+++ b/includes/api/ApiUserrights.php
@@ -49,6 +49,14 @@ class ApiUserrights extends ApiBase {
 	}
 
 	public function execute() {
+		$pUser = $this->getUser();
+
+		// Deny if the user is blocked and doesn't have the full 'userrights' permission.
+		// This matches what Special:UserRights does for the web UI.
+		if ( $pUser->isBlocked() && !$pUser->isAllowed( 'userrights' ) ) {
+			$this->dieBlocked( $pUser->getBlock() );
+		}
+
 		$params = $this->extractRequestParams();
 
 		$user = $this->getUrUser( $params );