Manual:Hooks/SecuritySensitiveOperationStatus
SecuritySensitiveOperationStatus | |
---|---|
Available from version 1.27.0 Affect the return value from AuthManager::securitySensitiveOperationStatus() . | |
Define function: | public static function onSecuritySensitiveOperationStatus( &$status, $operation, $session, $timeSinceAuth ) { ... }
|
Attach hook: | In extension.json:
{
"Hooks": {
"SecuritySensitiveOperationStatus": "MediaWiki\\Extension\\MyExtension\\Hooks::onSecuritySensitiveOperationStatus"
}
}
|
Called from: | File(s): auth/AuthManager.php Function(s): securitySensitiveOperationStatus |
Interface: | SecuritySensitiveOperationStatusHook.php |
For more information about attaching hooks, see Manual:Hooks .
For examples of extensions using this hook, see Category:SecuritySensitiveOperationStatus extensions.
Details
[edit]- &$status: (string) The status to be returned. One of the
AuthManager::SEC_*
constants.SEC_REAUTH
will be automatically changed toSEC_FAIL
if authentication isn't possible for the current session type. - $operation: (string) The operation being checked.
- $session: (Session) The current session. The currently-authenticated user may be retrieved as
$session->getUser()
. - $timeSinceAuth: (int) The time since last authentication.
PHP_INT_MAX
if the time of last auth is unknown, or -1 if authentication is not possible.
By default, when some operation requires elevated security (e.g. some special page requests it via SpecialPage::getLoginSecurityLevel()
) MediaWiki checks when the user logged in and forces them to log in again if it was more than $wgReauthenticateTime
seconds ago. This hook can be used to implement more complex logic (e.g. require reauthentication if the request is coming from a different IP then the one the user logged in from).
Extensions implementing this should take care not to override more strict requirements coming from other extensions (e.g. don't return false if you are setting the status to SEC_REAUTH
because some other hook handler might want to set it to SEC_FAIL
).