SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions

[lhc/web/wiklou.git] / includes / user / User.php

diff --git a/includes/user/User.php b/includes/user/User.php
index 83cfa40..8859609 100644 (file)
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -3147,6 +3147,22 @@ class User implements IDBAccessObject {
                        Hooks::run( 'UserGetRights', [ $this, &$this->mRights ] );
                        // Force reindexation of rights when a hook has unset one of them
                        $this->mRights = array_values( array_unique( $this->mRights ) );
+
+                       // If block disables login, we should also remove any
+                       // extra rights blocked users might have, in case the
+                       // blocked user has a pre-existing session (T129738).
+                       // This is checked here for cases where people only call
+                       // $user->isAllowed(). It is also checked in Title::checkUserBlock()
+                       // to give a better error message in the common case.
+                       $config = RequestContext::getMain()->getConfig();
+                       if (
+                               $this->isLoggedIn() &&
+                               $config->get( 'BlockDisablesLogin' ) &&
+                               $this->isBlocked()
+                       ) {
+                               $anon = new User;
+                               $this->mRights = array_intersect( $this->mRights, $anon->getRights() );
+                       }
                }
                return $this->mRights;
        }