From: Sam Reed Date: Sun, 16 May 2010 16:37:34 +0000 (+0000) Subject: * (bug 23548) Allow access of another users watchlist through watchlistraw using... X-Git-Tag: 1.31.0-rc.0~36824 X-Git-Url: http://git.cyclocoop.org/%22.htmlspecialchars%28%24url_syndic%29.%22?a=commitdiff_plain;h=3395bae78f4577e11f42da9d4e4cdb641c9c7938;p=lhc%2Fweb%2Fwiklou.git * (bug 23548) Allow access of another users watchlist through watchlistraw using token and username Refactored code into static method, and reused in both places --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index a5a971bc20..471bc3cb97 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -180,6 +180,7 @@ in a negative namespace (which is invalid). * (bug 23460) Parse action should have a section option * (bug 21346) Make deleted images searchable by hash * (bug 23461) Normalise usage of parameter names in parameter descriptions +* (bug 23548) Allow access of another users watchlist through watchlistraw using token and username === Languages updated in 1.17 === diff --git a/includes/api/ApiQueryWatchlist.php b/includes/api/ApiQueryWatchlist.php index f301ab388f..67a508b248 100644 --- a/includes/api/ApiQueryWatchlist.php +++ b/includes/api/ApiQueryWatchlist.php @@ -53,26 +53,11 @@ class ApiQueryWatchlist extends ApiQueryGeneratorBase { $fld_notificationtimestamp = false; private function run( $resultPageSet = null ) { - global $wgUser; - $this->selectNamedDB( 'watchlist', DB_SLAVE, 'watchlist' ); $params = $this->extractRequestParams(); - - if ( !is_null( $params['owner'] ) && !is_null( $params['token'] ) ) { - $user = User::newFromName( $params['owner'], false ); - if ( !$user->getId() ) { - $this->dieUsage( 'Specified user does not exist', 'bad_wlowner' ); - } - $token = $user->getOption( 'watchlisttoken' ); - if ( $token == '' || $token != $params['token'] ) { - $this->dieUsage( 'Incorrect watchlist token provided -- please set a correct token in Special:Preferences', 'bad_wltoken' ); - } - } elseif ( !$wgUser->isLoggedIn() ) { - $this->dieUsage( 'You must be logged-in to have a watchlist', 'notloggedin' ); - } else { - $user = $wgUser; - } + + $user = ApiQueryWatchlist::getWatchlistUser( $params ); if ( !is_null( $params['prop'] ) && is_null( $resultPageSet ) ) { $prop = array_flip( $params['prop'] ); @@ -290,6 +275,30 @@ class ApiQueryWatchlist extends ApiQueryGeneratorBase { return $vals; } + /** + * Gets the user for whom to get the watchlist for + * + * @returns User + */ + public static function getWatchlistUser( $params ) { + global $wgUser; + if ( !is_null( $params['owner'] ) && !is_null( $params['token'] ) ) { + $user = User::newFromName( $params['owner'], false ); + if ( !$user->getId() ) { + $this->dieUsage( 'Specified user does not exist', 'bad_wlowner' ); + } + $token = $user->getOption( 'watchlisttoken' ); + if ( $token == '' || $token != $params['token'] ) { + $this->dieUsage( 'Incorrect watchlist token provided -- please set a correct token in Special:Preferences', 'bad_wltoken' ); + } + } elseif ( !$wgUser->isLoggedIn() ) { + $this->dieUsage( 'You must be logged-in to have a watchlist', 'notloggedin' ); + } else { + $user = $wgUser; + } + return $user; + } + public function getAllowedParams() { return array( 'allrev' => false, diff --git a/includes/api/ApiQueryWatchlistRaw.php b/includes/api/ApiQueryWatchlistRaw.php index cddca0202c..b2a97f9ff1 100644 --- a/includes/api/ApiQueryWatchlistRaw.php +++ b/includes/api/ApiQueryWatchlistRaw.php @@ -49,14 +49,12 @@ class ApiQueryWatchlistRaw extends ApiQueryGeneratorBase { } private function run( $resultPageSet = null ) { - global $wgUser; - $this->selectNamedDB( 'watchlist', DB_SLAVE, 'watchlist' ); - - if ( !$wgUser->isLoggedIn() ) { - $this->dieUsage( 'You must be logged-in to have a watchlist', 'notloggedin' ); - } + $params = $this->extractRequestParams(); + + $user = ApiQueryWatchlist::getWatchlistUser( $params ); + $prop = array_flip( (array)$params['prop'] ); $show = array_flip( (array)$params['show'] ); if ( isset( $show['changed'] ) && isset( $show['!changed'] ) ) { @@ -66,7 +64,7 @@ class ApiQueryWatchlistRaw extends ApiQueryGeneratorBase { $this->addTables( 'watchlist' ); $this->addFields( array( 'wl_namespace', 'wl_title' ) ); $this->addFieldsIf( 'wl_notificationtimestamp', isset( $prop['changed'] ) ); - $this->addWhereFld( 'wl_user', $wgUser->getId() ); + $this->addWhereFld( 'wl_user', $user->getId() ); $this->addWhereFld( 'wl_namespace', $params['namespace'] ); $this->addWhereIf( 'wl_notificationtimestamp IS NOT NULL', isset( $show['changed'] ) ); $this->addWhereIf( 'wl_notificationtimestamp IS NULL', isset( $show['!changed'] ) ); @@ -157,6 +155,12 @@ class ApiQueryWatchlistRaw extends ApiQueryGeneratorBase { 'changed', '!changed', ) + ), + 'owner' => array( + ApiBase::PARAM_TYPE => 'user' + ), + 'token' => array( + ApiBase::PARAM_TYPE => 'string' ) ); } @@ -168,6 +172,8 @@ class ApiQueryWatchlistRaw extends ApiQueryGeneratorBase { 'limit' => 'How many total results to return per request', 'prop' => 'Which additional properties to get (non-generator mode only)', 'show' => 'Only list items that meet these criteria', + 'owner' => 'The name of the user whose watchlist you\'d like to access', + 'token' => 'Give a security token (settable in preferences) to allow access to another user\'s watchlist', ); } @@ -179,6 +185,8 @@ class ApiQueryWatchlistRaw extends ApiQueryGeneratorBase { return array_merge( parent::getPossibleErrors(), array( array( 'code' => 'notloggedin', 'info' => 'You must be logged-in to have a watchlist' ), array( 'show' ), + array( 'code' => 'bad_wlowner', 'info' => 'Specified user does not exist' ), + array( 'code' => 'bad_wltoken', 'info' => 'Incorrect watchlist token provided -- please set a correct token in Special:Preferences' ), ) ); }