r70278 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r70277‎ | r70278 | r70279 >
Date:15:50, 1 August 2010
Author:ialex
Status:ok (Comments)
Tags:
Comment:
* (bug 24418) action=markpatrolled now requires a token
Modified paths:
  • /trunk/phase3/RELEASE-NOTES (modified) (history)
  • /trunk/phase3/includes/Article.php (modified) (history)
  • /trunk/phase3/includes/diff/DifferenceInterface.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/diff/DifferenceInterface.php
@@ -236,13 +236,15 @@
237237 }
238238 // Build the link
239239 if( $rcid ) {
 240+ $token = $wgUser->editToken( $rcid );
240241 $patrol = ' <span class="patrollink">[' . $sk->link(
241242 $this->mTitle,
242243 wfMsgHtml( 'markaspatrolleddiff' ),
243244 array(),
244245 array(
245246 'action' => 'markpatrolled',
246 - 'rcid' => $rcid
 247+ 'rcid' => $rcid,
 248+ 'token' => $token,
247249 ),
248250 array(
249251 'known',
@@ -461,6 +463,7 @@
462464 # Add redundant patrol link on bottom...
463465 if( $this->mRcidMarkPatrolled && $this->mTitle->quickUserCan('patrol') ) {
464466 $sk = $wgUser->getSkin();
 467+ $token = $wgUser->editToken( $this->mRcidMarkPatrolled );
465468 $wgOut->addHTML(
466469 "<div class='patrollink'>[" . $sk->link(
467470 $this->mTitle,
@@ -468,7 +471,8 @@
469472 array(),
470473 array(
471474 'action' => 'markpatrolled',
472 - 'rcid' => $this->mRcidMarkPatrolled
 475+ 'rcid' => $this->mRcidMarkPatrolled,
 476+ 'token' => $token,
473477 )
474478 ) . ']</div>'
475479 );
Index: trunk/phase3/includes/Article.php
@@ -1316,6 +1316,7 @@
13171317 }
13181318
13191319 $sk = $wgUser->getSkin();
 1320+ $token = $wgUser->editToken( $rcid );
13201321
13211322 $wgOut->addHTML(
13221323 "<div class='patrollink'>" .
@@ -1327,7 +1328,8 @@
13281329 array(),
13291330 array(
13301331 'action' => 'markpatrolled',
1331 - 'rcid' => $rcid
 1332+ 'rcid' => $rcid,
 1333+ 'token' => $token,
13321334 ),
13331335 array( 'known', 'noclasses' )
13341336 )
@@ -2358,12 +2360,18 @@
23592361 * Mark this particular edit/page as patrolled
23602362 */
23612363 public function markpatrolled() {
2362 - global $wgOut, $wgRequest;
 2364+ global $wgOut, $wgUser, $wgRequest;
23632365
23642366 $wgOut->setRobotPolicy( 'noindex,nofollow' );
23652367
23662368 # If we haven't been given an rc_id value, we can't do anything
23672369 $rcid = (int) $wgRequest->getVal( 'rcid' );
 2370+
 2371+ if ( !$wgUser->matchEditToken( $wgRequest->getVal( 'token' ), $rcid ) ) {
 2372+ $wgOut->showErrorPage( 'sessionfailure-title', 'sessionfailure' );
 2373+ return;
 2374+ }
 2375+
23682376 $rc = RecentChange::newFromId( $rcid );
23692377
23702378 if ( is_null( $rc ) ) {
Index: trunk/phase3/RELEASE-NOTES
@@ -122,6 +122,7 @@
123123 * (bug 671) The <dfn> element has been whitelisted in user input.
124124 * (bug 24563) Entries on Special:WhatLinksHere now have a link to their history
125125 * (bug 21503) There's now a "reason" field when creating account for other users
 126+* (bug 24418) action=markpatrolled now requires a token
126127
127128 === Bug fixes in 1.17 ===
128129 * (bug 17560) Half-broken deletion moved image files to deletion archive

Follow-up revisions

RevisionCommit summaryAuthorDate
r70640Per comments, follow-up to r70278: make patrol tokens compatibles between api...ialex18:56, 7 August 2010

Comments

#Comment by Liangent (talk | contribs)   16:17, 1 August 2010 
$token = $wgUser->editToken( $rcid );

So the tokens are not compatible with the ones generated by api.php?action=query&list=recentchanges&rctoken=patrol, where it is: 

$cachedPatrolToken = $wgUser->editToken();

Is it better to make them compatible?

#Comment by Catrope (talk | contribs)   19:29, 2 August 2010

I would say so, yes.

#Comment by IAlex (talk | contribs)   18:58, 7 August 2010

Done in r70640.

Status & tagging log