r96134 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r96133‎ | r96134 | r96135 >
Date:18:00, 2 September 2011
Author:preilly
Status:resolved
Tags:
Comment:
add edit token and user can edit checks and make sure user is not blocked
Modified paths:
  • /trunk/extensions/MobileFrontend/MobileFrontend.php (modified) (history)
  • /trunk/extensions/MobileFrontend/views/information/leave_feedback.html.php (modified) (history)

Diff [purge]

Index: trunk/extensions/MobileFrontend/MobileFrontend.php
@@ -65,7 +65,7 @@
6666 );
6767
6868 class ExtMobileFrontend {
69 - const VERSION = '0.5.52';
 69+ const VERSION = '0.5.53';
7070
7171 /**
7272 * @var DOMDocument
@@ -335,12 +335,19 @@
336336
337337 $subject = htmlspecialchars( $wgRequest->getText( 'subject', '' ) );
338338 $message = htmlspecialchars( $wgRequest->getText( 'message', '' ) );
 339+ $token = htmlspecialchars( $wgRequest->getText( 'edittoken', '' ) );
339340
340341 $title = Title::newFromText( 'MobileFrontend Extension Feedback' );
341 - $article = new Article( $title, 0 );
342 - $rawtext = $article->getRawText();
343 - $rawtext .= "\n== {$subject} == \n {$message} ~~~~ \n <small>User agent: {$userAgent}</small> ";
344 - $article->doEdit( $rawtext, '' );
 342+
 343+ if ( $title->userCan( 'edit' ) &&
 344+ !$wgUser->isBlockedFrom( $title ) &&
 345+ $wgUser->matchEditToken( $token ) ) {
 346+ $article = new Article( $title, 0 );
 347+ $rawtext = $article->getRawText();
 348+ $rawtext .= "\n== {$subject} == \n {$message} ~~~~ \n <small>User agent: {$userAgent}</small> ";
 349+ $article->doEdit( $rawtext, '' );
 350+ }
 351+
345352 $location = str_replace( '&mobileaction=leave_feedback_post', '', $wgRequest->getFullRequestURL() );
346353 $wgRequest->response()->header( 'Location: ' . $location );
347354 wfProfileOut( __METHOD__ );
@@ -469,10 +476,11 @@
470477 }
471478
472479 private function renderLeaveFeedbackXHTML() {
473 - global $wgRequest;
 480+ global $wgRequest, $wgUser;
474481 wfProfileIn( __METHOD__ );
475482 if ( $this->contentFormat == 'XHTML' ) {
476483 $this->getMsg();
 484+ $editToken = $wgUser->editToken();
477485
478486 $title = self::$messages['mobile-frontend-leave-feedback-title'];
479487 $notice = self::$messages['mobile-frontend-leave-feedback-notice'];
Index: trunk/extensions/MobileFrontend/views/information/leave_feedback.html.php
@@ -4,6 +4,7 @@
55
66 $leaveFeedbackHtml = <<<EOT
77 <form action='{$feedbackPostURL}' method='post'>
 8+<input type="hidden" name="edittoken" value="{$editToken}"/>
89 <div tabindex="-1">
910 <div unselectable="on">
1011 <span unselectable="on"><p>{$title}</p></span>

Follow-up revisions

RevisionCommit summaryAuthorDate
r96137remove calls to htmlspecialchars the parser deals with what html is allowed a...preilly18:13, 2 September 2011

Status & tagging log