* drop user credentials for JSON callback output
* anticipating future changes, don't report anon edit tokens in JSON callback output
public function getParamDescription() {
return array (
- 'callback' => 'If specified, wraps the output into a given function call',
+ 'callback' => 'If specified, wraps the output into a given function call. For safety, all user-specific data will be restricted.',
);
}
// If the current user cannot read,
// Remove all modules other than login
global $wgUser;
+
+ if( $request->getVal( 'callback' ) !== null ) {
+ // JSON callback allows cross-site reads.
+ // For safety, strip user credentials.
+ wfDebug( "API: stripping user credentials for JSON callback\n" );
+ $wgUser = new User();
+ }
+
if (!$wgUser->isAllowed('read')) {
self::$Modules = array(
'login' => self::$Modules['login'],
}
public function getTokenFlag($tokenArr, $action) {
+ if ($this->getMain()->getRequest()->getVal('callback') !== null) {
+ // Don't do any session-specific data.
+ return false;
+ }
if (in_array($action, $tokenArr)) {
global $wgUser;
if ($wgUser->isAllowed($action))