API: No mustposttoken error with $wgDebugAPI

$wgDebugAPI is supposed to be a way to quickly (and insecurely) test API
modules using GET where they'd normally require POST. But this purpose
is defeated if token handling still throws mustposttoken.

Change-Id: Iee2fb76da86bf0670f9816f24f68c611fa0728b1

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 0d677b1..bd20b14 100644 (file)
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -783,10 +783,12 @@ class ApiMain extends ApiBase {
                                $this->dieUsageMsg( array( 'missingparam', 'token' ) );
                        }
 
-                       if ( array_key_exists(
-                               $module->encodeParamName( 'token' ),
-                               $this->getRequest()->getQueryValues()
-                       ) ) {
+                       if ( !$this->getConfig()->get( 'DebugAPI' ) &&
+                               array_key_exists(
+                                       $module->encodeParamName( 'token' ),
+                                       $this->getRequest()->getQueryValues()
+                               )
+                       ) {
                                $this->dieUsage(
                                        "The '{$module->encodeParamName( 'token' )}' parameter was found in the query string, but must be in the POST body",
                                        'mustposttoken'