* If the parameter and the header do match, the header is checked against $wgCrossSiteAJAXdomains
* and $wgCrossSiteAJAXdomainExceptions, and if the origin qualifies, the appropriate CORS
* headers are set.
- * http://www.w3.org/TR/cors/#resource-requests
- * http://www.w3.org/TR/cors/#resource-preflight-requests
+ * https://www.w3.org/TR/cors/#resource-requests
+ * https://www.w3.org/TR/cors/#resource-preflight-requests
*
* @return bool False if the caller should abort (403 case), true otherwise (all other cases)
*/
$response->header( "Access-Control-Allow-Origin: $allowOrigin" );
$response->header( "Access-Control-Allow-Credentials: $allowCredentials" );
- // http://www.w3.org/TR/resource-timing/#timing-allow-origin
+ // https://www.w3.org/TR/resource-timing/#timing-allow-origin
if ( $allowTiming !== false ) {
$response->header( "Timing-Allow-Origin: $allowTiming" );
}
break;
}
}
+ if ( isset( $params['assertuser'] ) ) {
+ $assertUser = User::newFromName( $params['assertuser'], false );
+ if ( !$assertUser || !$this->getUser()->equals( $assertUser ) ) {
+ $this->dieUsage(
+ 'Assertion that the user is "' . $params['assertuser'] . '" failed',
+ 'assertnameduserfailed'
+ );
+ }
+ }
}
/**
'assert' => [
ApiBase::PARAM_TYPE => [ 'user', 'bot' ]
],
+ 'assertuser' => [
+ ApiBase::PARAM_TYPE => 'user',
+ ],
'requestid' => null,
'servedby' => false,
'curtimestamp' => false,