r40693 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r40692‎ \| r40693 \| r40694 >
Date:	06:06, 10 September 2008
Author:	dale
Status:	old
Tags:
Comment:	fixed edit_token check
Modified paths:	/trunk/extensions/MetavidWiki/includes/MV_EditStreamPage.php (modified) (history)

Diff [purge]

Index: trunk/extensions/MetavidWiki/includes/MV_EditStreamPage.php
—	—	@@ -53,7 +53,7 @@
54	54	$html.='<form action="'.htmlspecialchars($wgRequest->getRequestURL()).'" method="POST">';
55	55	$html.='<input type="hidden" name="mv_action" value="edit_stream_files">';
56	56
57		~~- $html.='<input type="hidden" name="wpEditToken" value="'.htmlspecialchars($wgUser->editToken()).'"';~~
	57	+ $html.='<input type="hidden" name="wpEditToken" value="'.htmlspecialchars($wgUser->editToken()).'"/>';
58	58
59	59	$html.= '<fieldset><legend>'.wfMsg('mv_file_list').'</legend>' . "\n";
60	60	$html.= '<table width="600" border="0">';
—	—	@@ -72,7 +72,8 @@
73	73	}
74	74	//add new stream:
75	75	$html.='<form action="'.htmlspecialchars($wgRequest->getRequestURL()).'" method="POST">';
76		~~- $html.='<input type="hidden" name="mv_action" value="new_stream_file">';~~
	76	+ $html.='<input type="hidden" name="mv_action" value="new_stream_file" >';
	77	+ $html.='<input type="hidden" name="wpEditToken" value="'.htmlspecialchars($wgUser->editToken()).'" >';
77	78	$html.= '<fieldset><legend>'.wfMsg('mv_add_stream_file').'</legend>' . "\n";
78	79	$html.= '<table width="600" border="0">';
79	80	$html.= $this->getStreamFileForm(array('id'=>'new'));
—	—	@@ -87,11 +88,18 @@
88	89	function proccessReq(& $streamFiles){
89	90	global $wgRequest, $wgUser;
90	91
	92	+
91	93	//make sure the user can edit streams:
92		~~- if(!$wgUser->isAllowed('mv_edit_stream'))return ;~~
	94	+ if(!$wgUser->isAllowed('mv_edit_stream')){
	95	+ $this->status_error = wfMsg('add_stream_permission');
	96	+ return;
	97	+ }
93	98
94	99	//confirm the edit token:
95		~~- if(!$wgUser->matchEditToken($wgRequest->getVal('wpEditToken')))return ;~~
	100	+ if(!$wgUser->matchEditToken($wgRequest->getVal('wpEditToken'))){
	101	+ $this->status_error =wfMsg('token_suffix_mismatch');
	102	+ return ;
	103	+ }
96	104
97	105
98	106	$this->mv_action = $wgRequest->getVal('mv_action');