From: Aaron Schulz <aaron@users.mediawiki.org>
Date: Mon, 30 Jan 2012 23:44:34 +0000 (+0000)
Subject: (bug 33992) - "Allow anon a formless purge with POST". Changed HTMLForm::tryAuthorize... 
X-Git-Tag: 1.31.0-rc.0~24996
X-Git-Url: http://git.cyclocoop.org/%22.%24h.%22?a=commitdiff_plain;h=1c48deee3b72e65ec66496318f8516ff673586b7;p=lhc%2Fweb%2Fwiklou.git

(bug 33992) - "Allow anon a formless purge with POST". Changed HTMLForm::tryAuthorizedSubmit() to (a) require post for forms that are supposed to be posted and (b) bypass the token check for anons as it doesn't really do much except be slightly annoying. The tokens are just User::EDIT_TOKEN_SUFFIX in that case.
---

diff --git a/includes/HTMLForm.php b/includes/HTMLForm.php
index acc6b23f2b..7326bf5c1e 100644
--- a/includes/HTMLForm.php
+++ b/includes/HTMLForm.php
@@ -240,12 +240,27 @@ class HTMLForm extends ContextSource {
 	 * @return Status|boolean
 	 */
 	function tryAuthorizedSubmit() {
-		$editToken = $this->getRequest()->getVal( 'wpEditToken' );
-
 		$result = false;
-		if ( $this->getMethod() != 'post' || $this->getUser()->matchEditToken( $editToken ) ) {
+
+		$submit = false;
+		if ( $this->getMethod() != 'post' ) {
+			$submit = true; // no session check needed
+		} elseif ( $this->getRequest()->wasPosted() ) {
+			$editToken = $this->getRequest()->getVal( 'wpEditToken' );
+			if ( $this->getUser()->isLoggedIn() || $editToken != null ) {
+				// Session tokens for logged-out users have no security value.
+				// However, if the user gave one, check it in order to give a nice 
+				// "session expired" error instead of "permission denied" or such.
+				$submit = $this->getUser()->matchEditToken( $editToken );
+			} else {
+				$submit = true;
+			}
+		}
+
+		if ( $submit ) {
 			$result = $this->trySubmit();
 		}
+
 		return $result;
 	}