r27151 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r27150‎ \| r27151 \| r27152 >
Date:	09:57, 3 November 2007
Author:	catrope
Status:	old
Tags:
Comment:	API: * Allow staying logged in through lg* parameters instead of cookies (modified patch by Eddie Roger) * Removed ApiLogin's sessionID return value, as it doesn't always work and is redundant anyway
Modified paths:	/trunk/phase3/RELEASE-NOTES (modified) (history) /trunk/phase3/includes/api/ApiLogin.php (modified) (history) /trunk/phase3/includes/api/ApiMain.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/api/ApiLogin.php
—	—	@@ -104,7 +104,6 @@
105	105	$result['lgusername'] = $_SESSION['wsUserName'];
106	106	$result['lgtoken'] = $_SESSION['wsToken'];
107	107	$result['cookieprefix'] = $wgCookiePrefix;
108		~~- $result['sessionid'] = $_COOKIE["{$wgCookiePrefix}_session"];~~
109	108	break;
110	109
111	110	case LoginForm :: NO_NAME :
Index: trunk/phase3/includes/api/ApiMain.php
—	—	@@ -88,11 +88,24 @@
89	89	* @param $enableWrite bool should be set to true if the api may modify data
90	90	*/
91	91	public function __construct($request, $enableWrite = false) {
	92	+ global $wgRequest, $wgUser;
92	93
93	94	$this->mInternalMode = ($request instanceof FauxRequest);
94	95
95	96	// Special handling for the main module: $parent === $this
96	97	parent :: __construct($this, $this->mInternalMode ? 'main_int' : 'main');
	98	+
	99	+ // Check if request has cookie-like variables, and set them
	100	+ if( ($request->getVal('lgtoken')) && ($request->getVal('lgusername')) && ($request->getVal('lguserid')) ) {
	101	+
	102	+ // Got variables, set cookies.
	103	+ $_SESSION['wsUserID'] = $request->getVal('lguserid');
	104	+ $_SESSION['wsUserName'] = $request->getVal('lgusername');
	105	+ $_SESSION['wsToken'] = $request->getVal('lgtoken');
	106	+
	107	+ // Reinitialize $wgUser from session data
	108	+ $wgUser = User::newFromSession();
	109	+ }
97	110
98	111	if (!$this->mInternalMode) {
99	112
Index: trunk/phase3/RELEASE-NOTES
—	—	@@ -157,6 +157,7 @@
158	158	* (bug 11721) Use a different title for results than for the help page.
159	159	* (bug 11562) Added a user_registration parameter/field to the list=allusers query.
160	160	* (bug 11588) Preserve document structure for empty dataset in backlinks query.
	161	+* Allow staying logged in through lg* parameters instead of cookies
161	162
162	163	=== Languages updated in 1.12 ===
163	164

Follow-up revisions

Revision	Commit summary	Author	Date
r27514	Revert r27151 -- allows session fixation attacks....	brion	04:24, 15 November 2007

Status & tagging log

15:22, 12 September 2011 Meno25 (talk | contribs) changed the status of r27151 [removed: ok added: old]