API: Deprecate use of ApiPurge via GET

This emits a warning and logs feature usage, and also pretends that POST
is required in the help and paraminfo output.

Bug: T145649
Change-Id: Ied8d47a947662158fddab383c764bf70c5ab0112

diff --git a/includes/api/ApiPurge.php b/includes/api/ApiPurge.php
index 5d1352c..8bbd88d 100644 (file)
--- a/includes/api/ApiPurge.php
+++ b/includes/api/ApiPurge.php
@@ -37,6 +37,12 @@ class ApiPurge extends ApiBase {
         * Purges the cache of a page
         */
        public function execute() {
+               $main = $this->getMain();
+               if ( !$main->isInternalMode() && !$main->getRequest()->wasPosted() ) {
+                       $this->logFeatureUsage( 'purge-via-GET' );
+                       $this->setWarning( 'Use of action=purge via GET is deprecated. Use POST instead.' );
+               }
+
                $params = $this->extractRequestParams();
 
                $continuationManager = new ApiContinuationManager( $this, [], [] );
@@ -158,6 +164,18 @@ class ApiPurge extends ApiBase {
                return !$this->getUser()->isAllowed( 'purge' );
        }
 
+       protected function getHelpFlags() {
+               $flags = parent::getHelpFlags();
+
+               // Claim that we must be posted for the purposes of help and paraminfo.
+               // @todo Remove this when self::mustBePosted() is updated for T145649
+               if ( !in_array( 'mustbeposted', $flags, true ) ) {
+                       $flags[] = 'mustbeposted';
+               }
+
+               return $flags;
+       }
+
        public function getAllowedParams( $flags = 0 ) {
                $result = [
                        'forcelinkupdate' => false,