Prevent blocked users from changing user rights through the API

Prevent blocked users only if they do not have full userrights privleges,
which is the same behavior as implemented in Special:UserRights.

Change-Id: I69557b0951c8fb8b4e7d3ba571b0e5d30782ab4c

diff --git a/includes/api/ApiUserrights.php b/includes/api/ApiUserrights.php
index 3ccdde2..e32b612 100644 (file)
--- a/includes/api/ApiUserrights.php
+++ b/includes/api/ApiUserrights.php
@@ -49,6 +49,14 @@ class ApiUserrights extends ApiBase {
        }
 
        public function execute() {
+               $pUser = $this->getUser();
+
+               // Deny if the user is blocked and doesn't have the full 'userrights' permission.
+               // This matches what Special:UserRights does for the web UI.
+               if ( $pUser->isBlocked() && !$pUser->isAllowed( 'userrights' ) ) {
+                       $this->dieBlocked( $pUser->getBlock() );
+               }
+
                $params = $this->extractRequestParams();
 
                $user = $this->getUrUser( $params );