API: Making a bunch of state-changing modules require POST requests.

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index e560cab..5b350ff 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -441,6 +441,7 @@ Full API documentation is available at http://www.mediawiki.org/wiki/API
 * Added cascade flag to prop=info&inprop=protections
 * Added wlshow parameter to list=watchlist, similar to rcshow (list=recentchanges)
 * Added support for image thumbnailing to prop=imageinfo
+* action={login,block,delete,move,protect,rollback,unblock,undelete} now must be POSTed
 
 === Languages updated in 1.12 ===
 

diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index 400d0c5..c1f7d58 100644 (file)
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -652,6 +652,13 @@ abstract class ApiBase {
        public function isEditMode() {
                return false;
        }
+       
+       /**
+        * Indicates whether this module must be called with a POST request
+        */
+       public function mustBePosted() {
+               return false;
+       }
 
 
        /**

diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php
index f59e235..43103d0 100644 (file)
--- a/includes/api/ApiBlock.php
+++ b/includes/api/ApiBlock.php
@@ -113,6 +113,8 @@ class ApiBlock extends ApiBase {
                $this->getResult()->addValue(null, $this->getModuleName(), $res);
        }
 
+       public function mustBePosted() { return true; }
+
        protected function getAllowedParams() {
                return array (
                        'user' => null,

diff --git a/includes/api/ApiDelete.php b/includes/api/ApiDelete.php
index 635d316..1ae5876 100644 (file)
--- a/includes/api/ApiDelete.php
+++ b/includes/api/ApiDelete.php
@@ -118,6 +118,8 @@ class ApiDelete extends ApiBase {
                return array(array('cannotdelete', $article->mTitle->getPrefixedText()));
        }
        
+       public function mustBePosted() { return true; }
+       
        protected function getAllowedParams() {
                return array (
                        'title' => null,

diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 82d32bb..54a8a5d 100644 (file)
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -217,6 +217,8 @@ class ApiLogin extends ApiBase {
        private function getMemCacheKey() {
                return wfMemcKey( 'apilogin', 'badlogin', 'ip', wfGetIP() );
        }
+       
+       public function mustBePosted() { return true; }
 
        protected function getAllowedParams() {
                return array (

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index be1dced..4c294a4 100644 (file)
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -320,8 +320,11 @@ class ApiMain extends ApiBase {
                                return;
                        }
                }
-
+               
                if (!$this->mInternalMode) {
+                       // Ignore mustBePosted() for internal calls
+                       if($module->mustBePosted() && !$this->mRequest->wasPosted())
+                               $this->dieUsage("The {$this->mAction} module requires a POST request", 'mustbeposted');
 
                        // See if custom printer is used
                        $this->mPrinter = $module->getCustomPrinter();

diff --git a/includes/api/ApiMove.php b/includes/api/ApiMove.php
index 77f21b3..0c219d3 100644 (file)
--- a/includes/api/ApiMove.php
+++ b/includes/api/ApiMove.php
@@ -110,6 +110,8 @@ class ApiMove extends ApiBase {
                $this->getResult()->addValue(null, $this->getModuleName(), $r);
        }
        
+       public function mustBePosted() { return true; }
+       
        protected function getAllowedParams() {
                return array (
                        'from' => null,

diff --git a/includes/api/ApiProtect.php b/includes/api/ApiProtect.php
index 04e2752..6a32434 100644 (file)
--- a/includes/api/ApiProtect.php
+++ b/includes/api/ApiProtect.php
@@ -109,6 +109,8 @@ class ApiProtect extends ApiBase {
                $this->getResult()->addValue(null, $this->getModuleName(), $res);
        }
 
+       public function mustBePosted() { return true; }
+
        protected function getAllowedParams() {
                return array (
                        'title' => null,

diff --git a/includes/api/ApiRollback.php b/includes/api/ApiRollback.php
index 9107edf..0f37ef9 100644 (file)
--- a/includes/api/ApiRollback.php
+++ b/includes/api/ApiRollback.php
@@ -86,6 +86,8 @@ class ApiRollback extends ApiBase {
                $this->getResult()->addValue(null, $this->getModuleName(), $info);
        }
        
+       public function mustBePosted() { return true; }
+       
        protected function getAllowedParams() {
                return array (
                        'title' => null,

diff --git a/includes/api/ApiUnblock.php b/includes/api/ApiUnblock.php
index 842267b..7aaa1d5 100644 (file)
--- a/includes/api/ApiUnblock.php
+++ b/includes/api/ApiUnblock.php
@@ -82,6 +82,8 @@ class ApiUnblock extends ApiBase {
                $res['reason'] = $reason;
                $this->getResult()->addValue(null, $this->getModuleName(), $res);
        }
+       
+       public function mustBePosted() { return true; }
 
        protected function getAllowedParams() {
                return array (

diff --git a/includes/api/ApiUndelete.php b/includes/api/ApiUndelete.php
index 06a0ca8..510b777 100644 (file)
--- a/includes/api/ApiUndelete.php
+++ b/includes/api/ApiUndelete.php
@@ -81,6 +81,8 @@ class ApiUndelete extends ApiBase {
                $this->getResult()->addValue(null, $this->getModuleName(), $info);
        }
        
+       public function mustBePosted() { return true; }
+       
        protected function getAllowedParams() {
                return array (
                        'title' => null,