r66539 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r66538‎ \| r66539 \| r66540 >
Date:	16:37, 16 May 2010
Author:	reedy
Status:	resolved (Comments)
Tags:
Comment:	* (bug 23548) Allow access of another users watchlist through watchlistraw using token and username Refactored code into static method, and reused in both places
Modified paths:	/trunk/phase3/RELEASE-NOTES (modified) (history) /trunk/phase3/includes/api/ApiQueryWatchlist.php (modified) (history) /trunk/phase3/includes/api/ApiQueryWatchlistRaw.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/api/ApiQueryWatchlistRaw.php
—	—	@@ -49,14 +49,12 @@
50	50	}
51	51
52	52	private function run( $resultPageSet = null ) {
53		~~- global $wgUser;~~
54		-
55	53	$this->selectNamedDB( 'watchlist', DB_SLAVE, 'watchlist' );
	54	+
	55	+ $params = $this->extractRequestParams();
56	56
57		~~- if ( !$wgUser->isLoggedIn() ) {~~
58		~~- $this->dieUsage( 'You must be logged-in to have a watchlist', 'notloggedin' );~~
59		~~- }~~
60		~~- $params = $this->extractRequestParams();~~
	57	+ $user = ApiQueryWatchlist::getWatchlistUser( $params );
	58	+
61	59	$prop = array_flip( (array)$params['prop'] );
62	60	$show = array_flip( (array)$params['show'] );
63	61	if ( isset( $show['changed'] ) && isset( $show['!changed'] ) ) {
—	—	@@ -66,7 +64,7 @@
67	65	$this->addTables( 'watchlist' );
68	66	$this->addFields( array( 'wl_namespace', 'wl_title' ) );
69	67	$this->addFieldsIf( 'wl_notificationtimestamp', isset( $prop['changed'] ) );
70		~~- $this->addWhereFld( 'wl_user', $wgUser->getId() );~~
	68	+ $this->addWhereFld( 'wl_user', $user->getId() );
71	69	$this->addWhereFld( 'wl_namespace', $params['namespace'] );
72	70	$this->addWhereIf( 'wl_notificationtimestamp IS NOT NULL', isset( $show['changed'] ) );
73	71	$this->addWhereIf( 'wl_notificationtimestamp IS NULL', isset( $show['!changed'] ) );
—	—	@@ -157,6 +155,12 @@
158	156	'changed',
159	157	'!changed',
160	158	)
	159	+ ),
	160	+ 'owner' => array(
	161	+ ApiBase::PARAM_TYPE => 'user'
	162	+ ),
	163	+ 'token' => array(
	164	+ ApiBase::PARAM_TYPE => 'string'
161	165	)
162	166	);
163	167	}
—	—	@@ -168,6 +172,8 @@
169	173	'limit' => 'How many total results to return per request',
170	174	'prop' => 'Which additional properties to get (non-generator mode only)',
171	175	'show' => 'Only list items that meet these criteria',
	176	+ 'owner' => 'The name of the user whose watchlist you\'d like to access',
	177	+ 'token' => 'Give a security token (settable in preferences) to allow access to another user\'s watchlist',
172	178	);
173	179	}
174	180
—	—	@@ -179,6 +185,8 @@
180	186	return array_merge( parent::getPossibleErrors(), array(
181	187	array( 'code' => 'notloggedin', 'info' => 'You must be logged-in to have a watchlist' ),
182	188	array( 'show' ),
	189	+ array( 'code' => 'bad_wlowner', 'info' => 'Specified user does not exist' ),
	190	+ array( 'code' => 'bad_wltoken', 'info' => 'Incorrect watchlist token provided -- please set a correct token in Special:Preferences' ),
183	191	) );
184	192	}
185	193
Index: trunk/phase3/includes/api/ApiQueryWatchlist.php
—	—	@@ -53,27 +53,12 @@
54	54	$fld_notificationtimestamp = false;
55	55
56	56	private function run( $resultPageSet = null ) {
57		~~- global $wgUser;~~
58		-
59	57	$this->selectNamedDB( 'watchlist', DB_SLAVE, 'watchlist' );
60	58
61	59	$params = $this->extractRequestParams();
	60	+
	61	+ $user = ApiQueryWatchlist::getWatchlistUser( $params );
62	62
63		~~- if ( !is_null( $params['owner'] ) && !is_null( $params['token'] ) ) {~~
64		~~- $user = User::newFromName( $params['owner'], false );~~
65		~~- if ( !$user->getId() ) {~~
66		~~- $this->dieUsage( 'Specified user does not exist', 'bad_wlowner' );~~
67		~~- }~~
68		~~- $token = $user->getOption( 'watchlisttoken' );~~
69		~~- if ( $token == '' \|\| $token != $params['token'] ) {~~
70		~~- $this->dieUsage( 'Incorrect watchlist token provided -- please set a correct token in Special:Preferences', 'bad_wltoken' );~~
71		~~- }~~
72		~~- } elseif ( !$wgUser->isLoggedIn() ) {~~
73		~~- $this->dieUsage( 'You must be logged-in to have a watchlist', 'notloggedin' );~~
74		~~- } else {~~
75		~~- $user = $wgUser;~~
76		~~- }~~
77		-
78	63	if ( !is_null( $params['prop'] ) && is_null( $resultPageSet ) ) {
79	64	$prop = array_flip( $params['prop'] );
80	65
—	—	@@ -290,6 +275,30 @@
291	276	return $vals;
292	277	}
293	278
	279	+ /**
	280	+ * Gets the user for whom to get the watchlist for
	281	+ *
	282	+ * @returns User
	283	+ */
	284	+ public static function getWatchlistUser( $params ) {
	285	+ global $wgUser;
	286	+ if ( !is_null( $params['owner'] ) && !is_null( $params['token'] ) ) {
	287	+ $user = User::newFromName( $params['owner'], false );
	288	+ if ( !$user->getId() ) {
	289	+ $this->dieUsage( 'Specified user does not exist', 'bad_wlowner' );
	290	+ }
	291	+ $token = $user->getOption( 'watchlisttoken' );
	292	+ if ( $token == '' \|\| $token != $params['token'] ) {
	293	+ $this->dieUsage( 'Incorrect watchlist token provided -- please set a correct token in Special:Preferences', 'bad_wltoken' );
	294	+ }
	295	+ } elseif ( !$wgUser->isLoggedIn() ) {
	296	+ $this->dieUsage( 'You must be logged-in to have a watchlist', 'notloggedin' );
	297	+ } else {
	298	+ $user = $wgUser;
	299	+ }
	300	+ return $user;
	301	+ }
	302	+
294	303	public function getAllowedParams() {
295	304	return array(
296	305	'allrev' => false,
Index: trunk/phase3/RELEASE-NOTES
—	—	@@ -180,6 +180,7 @@
181	181	* (bug 23460) Parse action should have a section option
182	182	* (bug 21346) Make deleted images searchable by hash
183	183	* (bug 23461) Normalise usage of parameter names in parameter descriptions
	184	+* (bug 23548) Allow access of another users watchlist through watchlistraw using token and username
184	185
185	186	=== Languages updated in 1.17 ===
186	187

Follow-up revisions

Revision	Commit summary	Author	Date
r67457	Fix method comment from r66539	reedy	12:30, 6 June 2010
r68404	Resolve fixme of r66539...	reedy	12:10, 22 June 2010

Comments

#Comment by Catrope (talk | contribs) 18:53, 3 June 2010

+	* Gets the user for whom to get the watchlist for

"for whom to ... for"? :P

#Comment by Reedy (talk | contribs) 19:18, 3 June 2010

It might be valid english. I dont know.. It seems to make sense

Must be the Yorkshire again ;)

#Comment by Catrope (talk | contribs) 19:22, 3 June 2010

Do Yorkshire folk frequently use redundant pronouns like that?

#Comment by Bryan (talk | contribs) 13:19, 18 June 2010

This calls a non-static method dieUsage from a static method. Is that allowed?

#Comment by Catrope (talk | contribs) 13:25, 18 June 2010

Nope, it's not. Good catch.

#Comment by Reedy (talk | contribs) 19:00, 20 June 2010

Hmm. 3 die's to deal with. Correct result is return of a User object.

Return the error..

if ( !( $user instance of User ) ) {
switch 'user'
{
case 'bad_wlowner':
$this->dieUsage( 'Specified user does not exist', 'bad_wlowner' );
}
}

etc

Seems a bit messy though?

#Comment by Reedy (talk | contribs) 19:01, 20 June 2010

instanceof

even

#Comment by Reedy (talk | contribs) 19:01, 20 June 2010

instanceof

even

#Comment by Bryan (talk | contribs) 19:47, 20 June 2010

Or throw the UsageException yourself.

#Comment by Reedy (talk | contribs) 11:33, 22 June 2010

Or we shove the method into base. And de staticise

#Comment by Catrope (talk | contribs) 11:54, 22 June 2010

I think that's the best solution (moving the method to ApiBase).

Status & tagging log

12:58, 22 June 2010 Catrope (talk | contribs) changed the status of r66539 [removed: new added: resolved]
12:10, 22 June 2010 Reedy (talk | contribs) changed the status of r66539 [removed: fixme added: new]
13:25, 18 June 2010 Catrope (talk | contribs) changed the status of r66539 [removed: ok added: fixme]
18:53, 3 June 2010 Catrope (talk | contribs) changed the status of r66539 [removed: new added: ok]