From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Fri, 3 Jun 2016 15:33:41 +0000 (-0400)
Subject: Don't override action in UI and REDIRECT responses
X-Git-Tag: 1.31.0-rc.0~6711^2
X-Git-Url: https://git.cyclocoop.org/%28%28?a=commitdiff_plain;h=e2522e7e7eafdc0a2ca36e1f7f681562b580b355;p=lhc%2Fweb%2Fwiklou.git

Don't override action in UI and REDIRECT responses

In Ic8caf57eb, we changed things so the requests returned in a UI or
REDIRECT response would have the action forced to that appropriate for
the action being peformed. But ResetPasswordSecondaryAuthenticationProvider
has a use case where a mismatch is necessary: it's run during the login
action, but it needs a PasswordAuthenticationResponse for a change
action.

Bug: T136894
Change-Id: I9d109a22c5b2d2064f664f584100ecaab43199c5
---

diff --git a/includes/auth/AuthManager.php b/includes/auth/AuthManager.php
index 402ea968e8..2ed0d618c7 100644
--- a/includes/auth/AuthManager.php
+++ b/includes/auth/AuthManager.php
@@ -558,7 +558,7 @@ class AuthManager implements LoggerAwareInterface {
 					);
 					$ret->neededRequests[] = $ret->createRequest;
 				}
-				$this->fillRequests( $ret->neededRequests, self::ACTION_LOGIN, null );
+				$this->fillRequests( $ret->neededRequests, self::ACTION_LOGIN, null, true );
 				$session->setSecret( 'AuthManager::authnState', [
 					'reqs' => [], // Will be filled in later
 					'primary' => null,
@@ -2056,7 +2056,7 @@ class AuthManager implements LoggerAwareInterface {
 		}
 
 		// Fill in reqs data
-		$this->fillRequests( $reqs, $providerAction, $options['username'] );
+		$this->fillRequests( $reqs, $providerAction, $options['username'], true );
 
 		// For self::ACTION_CHANGE, filter out any that something else *doesn't* allow changing
 		if ( $providerAction === self::ACTION_CHANGE || $providerAction === self::ACTION_REMOVE ) {
@@ -2073,10 +2073,13 @@ class AuthManager implements LoggerAwareInterface {
 	 * @param AuthenticationRequest[] &$reqs
 	 * @param string $action
 	 * @param string|null $username
+	 * @param boolean $forceAction
 	 */
-	private function fillRequests( array &$reqs, $action, $username ) {
+	private function fillRequests( array &$reqs, $action, $username, $forceAction = false ) {
 		foreach ( $reqs as $req ) {
-			$req->action = $action;
+			if ( !$req->action || $forceAction ) {
+				$req->action = $action;
+			}
 			if ( $req->username === null ) {
 				$req->username = $username;
 			}
diff --git a/includes/auth/ResetPasswordSecondaryAuthenticationProvider.php b/includes/auth/ResetPasswordSecondaryAuthenticationProvider.php
index 2e51cf22c1..f87a7620f2 100644
--- a/includes/auth/ResetPasswordSecondaryAuthenticationProvider.php
+++ b/includes/auth/ResetPasswordSecondaryAuthenticationProvider.php
@@ -95,10 +95,8 @@ class ResetPasswordSecondaryAuthenticationProvider extends AbstractSecondaryAuth
 			}
 		}
 
-		if ( isset( $data->req ) ) {
-			$needReq = $data->req;
-		} else {
-			$needReq = new PasswordAuthenticationRequest();
+		$needReq = isset( $data->req ) ? $data->req : new PasswordAuthenticationRequest();
+		if ( !$needReq->action ) {
 			$needReq->action = AuthManager::ACTION_CHANGE;
 		}
 		$needReqs = [ $needReq ];