From e10f96cff1968df001b068efd3147dd53f41d3bc Mon Sep 17 00:00:00 2001 From: Brad Jorsch Date: Tue, 24 May 2016 14:05:52 -0400 Subject: [PATCH] API: Fixes for AuthManager * Set API response metadata on the AuthenticationRequest metadata so it is output as an assoc generally. * Remove the 'image' field in AuthenticationRequest::getFieldInfo()'s response, since we ended up not using it anywhere. * Make it so meta=authmanagerinfo can be used on private wikis without logging in, so action=clientlogin can be used to log in. ** This generalizes the exception for meta=tokens that was added in I83dafb030. * ApiAuthManagerInfo needs the "messageformat" parameter. * ApiAuthManagerInfo shouldn't be publically cached, since the responses vary depending on session state. Change-Id: Iea5ddb4ef9febed18f16a7ae8314968026f39148 --- includes/api/ApiAuthManagerHelper.php | 3 +-- includes/api/ApiQuery.php | 31 ++++++++++++++++-------- includes/api/ApiQueryAuthManagerInfo.php | 6 ++--- includes/auth/AuthenticationRequest.php | 4 +-- 4 files changed, 26 insertions(+), 18 deletions(-) diff --git a/includes/api/ApiAuthManagerHelper.php b/includes/api/ApiAuthManagerHelper.php index 299740571b..e30f22b64e 100644 --- a/includes/api/ApiAuthManagerHelper.php +++ b/includes/api/ApiAuthManagerHelper.php @@ -244,7 +244,7 @@ class ApiAuthManagerHelper { $describe = $req->describeCredentials(); $reqInfo = [ 'id' => $req->getUniqueId(), - 'metadata' => $req->getMetadata(), + 'metadata' => $req->getMetadata() + [ ApiResult::META_TYPE => 'assoc' ], ]; switch ( $req->required ) { case AuthenticationRequest::OPTIONAL: @@ -283,7 +283,6 @@ class ApiAuthManagerHelper { private function formatFields( array $fields ) { static $copy = [ 'type' => true, - 'image' => true, 'value' => true, ]; diff --git a/includes/api/ApiQuery.php b/includes/api/ApiQuery.php index 3ca4c08da4..ed4d373a7c 100644 --- a/includes/api/ApiQuery.php +++ b/includes/api/ApiQuery.php @@ -554,23 +554,34 @@ class ApiQuery extends ApiBase { } public function isReadMode() { - // We need to make an exception for ApiQueryTokens so login tokens can - // be fetched on private wikis. Restrict that exception as much as - // possible: no other modules allowed, and no pageset parameters - // either. We do allow the 'rawcontinue' and 'indexpageids' parameters - // since frameworks might add these unconditionally and they can't - // expose anything here. + // We need to make an exception for certain meta modules that should be + // accessible even without the 'read' right. Restrict the exception as + // much as possible: no other modules allowed, and no pageset + // parameters either. We do allow the 'rawcontinue' and 'indexpageids' + // parameters since frameworks might add these unconditionally and they + // can't expose anything here. + $this->mParams = $this->extractRequestParams(); $params = array_filter( array_diff_key( - $this->extractRequestParams() + $this->getPageSet()->extractRequestParams(), + $this->mParams + $this->getPageSet()->extractRequestParams(), [ 'rawcontinue' => 1, 'indexpageids' => 1 ] ) ); - if ( $params === [ 'meta' => [ 'tokens' ] ] ) { - return false; + if ( array_keys( $params ) !== [ 'meta' ] ) { + return true; + } + + // Ask each module if it requires read mode. Any true => this returns + // true. + $modules = []; + $this->instantiateModules( $modules, 'meta' ); + foreach ( $modules as $module ) { + if ( $module->isReadMode() ) { + return true; + } } - return true; + return false; } protected function getExamplesMessages() { diff --git a/includes/api/ApiQueryAuthManagerInfo.php b/includes/api/ApiQueryAuthManagerInfo.php index b591f9c00a..e2229cbe9f 100644 --- a/includes/api/ApiQueryAuthManagerInfo.php +++ b/includes/api/ApiQueryAuthManagerInfo.php @@ -75,8 +75,8 @@ class ApiQueryAuthManagerInfo extends ApiQueryBase { $this->getResult()->addValue( [ 'query' ], $this->getModuleName(), $ret ); } - public function getCacheMode( $params ) { - return 'public'; + public function isReadMode() { + return false; } public function getAllowedParams() { @@ -95,7 +95,7 @@ class ApiQueryAuthManagerInfo extends ApiQueryBase { AuthManager::ACTION_UNLINK, ], ], - ] + ApiAuthManagerHelper::getStandardParams( '', 'mergerequestfields' ); + ] + ApiAuthManagerHelper::getStandardParams( '', 'mergerequestfields', 'messageformat' ); } protected function getExamplesMessages() { diff --git a/includes/auth/AuthenticationRequest.php b/includes/auth/AuthenticationRequest.php index 3c19b87f17..8303435648 100644 --- a/includes/auth/AuthenticationRequest.php +++ b/includes/auth/AuthenticationRequest.php @@ -92,14 +92,12 @@ abstract class AuthenticationRequest { * - select: * - multiselect: More a grid of checkboxes than if 'image' is set, otherwise - * (uses 'label' as button text) + * - button: (uses 'label' as button text) * - hidden: Not visible to the user, but needs to be preserved for the next request * - null: No widget, just display the 'label' message. * - options: (array) Maps option values to Messages for the * 'select' and 'multiselect' types. * - value: (string) Value (for 'null' and 'hidden') or default value (for other types). - * - image: (string) URL of an image to use in connection with the input * - label: (Message) Text suitable for a label in an HTML form * - help: (Message) Text suitable as a description of what the field is * - optional: (bool) If set and truthy, the field may be left empty -- 2.20.1