From fec31a8b9d2a682ceadd012df7ff5ffd748f0493 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Wed, 5 Oct 2016 10:35:47 -0400
Subject: [PATCH] API: Add assertuser parameter

This was requested for the use of scripts that are concerned about the
possibility that the user might log in with a different account in
another browser window, thereby changing the expected user out from
underneath the script.

Bug: T146770
Change-Id: I94e0421cb263a418e86649f0d22ece4cfec6a395
---
 RELEASE-NOTES-1.28                         |  2 ++
 includes/api/ApiMain.php                   | 12 +++++++++++
 includes/api/i18n/en.json                  |  1 +
 includes/api/i18n/qqq.json                 |  1 +
 tests/phpunit/includes/api/ApiMainTest.php | 23 ++++++++++++++++++++++
 5 files changed, 39 insertions(+)

diff --git a/RELEASE-NOTES-1.28 b/RELEASE-NOTES-1.28
index 8b7dced7f8..a078e096f5 100644
--- a/RELEASE-NOTES-1.28
+++ b/RELEASE-NOTES-1.28
@@ -114,6 +114,8 @@ production.
   indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
 * (T28680) action=paraminfo can now return info about all submodules of a
   module without listing them all explicitly.
+* (T146770) It is now possible to assert that the current user is a specific
+  named user, using the 'assertuser' parameter.
 
 === Action API internal changes in 1.28 ===
 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 8d5af594c1..c8f4460e9f 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -1361,6 +1361,15 @@ class ApiMain extends ApiBase {
 					break;
 			}
 		}
+		if ( isset( $params['assertuser'] ) ) {
+			$assertUser = User::newFromName( $params['assertuser'], false );
+			if ( !$assertUser || !$this->getUser()->equals( $assertUser ) ) {
+				$this->dieUsage(
+					'Assertion that the user is "' . $params['assertuser'] . '" failed',
+					'assertnameduserfailed'
+				);
+			}
+		}
 	}
 
 	/**
@@ -1661,6 +1670,9 @@ class ApiMain extends ApiBase {
 			'assert' => [
 				ApiBase::PARAM_TYPE => [ 'user', 'bot' ]
 			],
+			'assertuser' => [
+				ApiBase::PARAM_TYPE => 'user',
+			],
 			'requestid' => null,
 			'servedby' => false,
 			'curtimestamp' => false,
diff --git a/includes/api/i18n/en.json b/includes/api/i18n/en.json
index 40388f933f..05f606d66c 100644
--- a/includes/api/i18n/en.json
+++ b/includes/api/i18n/en.json
@@ -13,6 +13,7 @@
 	"apihelp-main-param-smaxage": "Set the <code>s-maxage</code> HTTP cache control header to this many seconds. Errors are never cached.",
 	"apihelp-main-param-maxage": "Set the <code>max-age</code> HTTP cache control header to this many seconds. Errors are never cached.",
 	"apihelp-main-param-assert": "Verify the user is logged in if set to <kbd>user</kbd>, or has the bot user right if <kbd>bot</kbd>.",
+	"apihelp-main-param-assertuser": "Verify the current user is the named user.",
 	"apihelp-main-param-requestid": "Any value given here will be included in the response. May be used to distinguish requests.",
 	"apihelp-main-param-servedby": "Include the hostname that served the request in the results.",
 	"apihelp-main-param-curtimestamp": "Include the current timestamp in the result.",
diff --git a/includes/api/i18n/qqq.json b/includes/api/i18n/qqq.json
index caa89b5d5e..8deda753d5 100644
--- a/includes/api/i18n/qqq.json
+++ b/includes/api/i18n/qqq.json
@@ -22,6 +22,7 @@
 	"apihelp-main-param-smaxage": "{{doc-apihelp-param|main|smaxage}}",
 	"apihelp-main-param-maxage": "{{doc-apihelp-param|main|maxage}}",
 	"apihelp-main-param-assert": "{{doc-apihelp-param|main|assert}}",
+	"apihelp-main-param-assertuser": "{{doc-apihelp-param|main|assertuser}}",
 	"apihelp-main-param-requestid": "{{doc-apihelp-param|main|requestid}}",
 	"apihelp-main-param-servedby": "{{doc-apihelp-param|main|servedby}}",
 	"apihelp-main-param-curtimestamp": "{{doc-apihelp-param|main|curtimestamp}}",
diff --git a/tests/phpunit/includes/api/ApiMainTest.php b/tests/phpunit/includes/api/ApiMainTest.php
index 334e3b88fb..c111949d2f 100644
--- a/tests/phpunit/includes/api/ApiMainTest.php
+++ b/tests/phpunit/includes/api/ApiMainTest.php
@@ -58,6 +58,29 @@ class ApiMainTest extends ApiTestCase {
 		}
 	}
 
+	/**
+	 * Tests the assertuser= functionality
+	 *
+	 * @covers ApiMain::checkAsserts
+	 */
+	public function testAssertUser() {
+		$user = $this->getTestUser()->getUser();
+		$this->doApiRequest( [
+			'action' => 'query',
+			'assertuser' => $user->getName(),
+		], null, null, $user );
+
+		try {
+			$this->doApiRequest( [
+				'action' => 'query',
+				'assertuser' => $user->getName() . 'X',
+			], null, null, $user );
+			$this->fail( 'Expected exception not thrown' );
+		} catch ( UsageException $e ) {
+			$this->assertEquals( $e->getCodeString(), 'assertnameduserfailed' );
+		}
+	}
+
 	/**
 	 * Test if all classes in the main module manager exists
 	 */
-- 
2.20.1