From 74c2b22e84220c3c4de5db06d67022ade99edf44 Mon Sep 17 00:00:00 2001
From: Bryan Tong Minh <btongminh@users.mediawiki.org>
Date: Mon, 2 Jun 2008 19:15:56 +0000
Subject: [PATCH] Put ratelimiter and edittoken checking in backend.

---
 includes/SpecialEmailuser.php | 92 ++++++++++++++++++++++-------------
 includes/api/ApiEmailUser.php | 19 +++-----
 2 files changed, 65 insertions(+), 46 deletions(-)

diff --git a/includes/SpecialEmailuser.php b/includes/SpecialEmailuser.php
index 52aa53a2f9..c06d7a5a18 100644
--- a/includes/SpecialEmailuser.php
+++ b/includes/SpecialEmailuser.php
@@ -10,35 +10,44 @@
 function wfSpecialEmailuser( $par ) {
 	global $wgRequest, $wgUser, $wgOut;
 
-	$target = isset($par) ? $par : $wgRequest->getVal( 'target' );	
-	$error = EmailUserForm::getPermissionsError( $target );
-	if ( $error ) {
-		if ( $error[0] === "blockedemailuser" ) {
-			$wgOut->blockedPage();
-			return;
-		} else {
-			$wgOut->showErrorPage( $error[0], $error[1] );
-			return;
-		}
+	$action = $wgRequest->getVal( 'action' );
+	$target = isset($par) ? $par : $wgRequest->getVal( 'target' );
+	$targetUser = EmailUserForm::validateEmailTarget( $target );
+	
+	if ( !( $targetUser instanceof User ) ) {
+		$wgOut->showErrorPage( $targetUser[0], $targetUser[1] );
+		return;
 	}
-
-	$form = EmailUserForm::newFromURL( $target,
+	
+	$form = new EmailUserForm( $targetUser,
 			$wgRequest->getText( 'wpText' ),
 			$wgRequest->getText( 'wpSubject' ),
 			$wgRequest->getBool( 'wpCCMe' ) );
-	
-	$action = $wgRequest->getVal( 'action' );
-	if ( "success" == $action ) {
+	if ( $action == 'success' ) {
 		$form->showSuccess();
-	} else if ( "submit" == $action && $wgRequest->wasPosted() &&
-				$wgUser->matchEditToken( $wgRequest->getVal( 'wpEditToken' ) ) )
-	{
-		# Check against the rate limiter
-		if( $wgUser->pingLimiter( 'emailuser' ) ) {
-			$wgOut->rateLimited();
-			return;
+		return;
+	}
+					
+	$error = EmailUserForm::getPermissionsError( $wgUser, $wgRequest->getVal( 'wpEditToken' ) );
+	if ( $error ) {
+		switch ( $error[0] ) {
+			case 'blockedemailuser':
+				$wgOut->blockedPage();
+				return;
+			case 'actionthrottledtext':
+				$wgOut->rateLimited();
+				return;
+			case 'sessionfailure':
+				$form->showForm();
+				return;
+			default:
+				$wgOut->showErrorPage( $error[0], $error[1] );
+				return;
 		}
-
+	}	
+		
+	
+	if ( "submit" == $action && $wgRequest->wasPosted() ) {
 		$result = $form->doSubmit();
 		
 		if ( !is_null( $result ) ) {
@@ -215,22 +224,12 @@ class EmailUserForm {
 		return $this->target;
 	}
 	
-	static function getPermissionsError ( $target ) {
-		global $wgUser, $wgRequest, $wgEnableEmail, $wgEnableUserEmail;
+	static function validateEmailTarget ( $target ) {
+		global $wgEnableEmail, $wgEnableUserEmail;
 
 		if( !( $wgEnableEmail && $wgEnableUserEmail ) ) 
 			return array( "nosuchspecialpage", "nospecialpagetext" );
-	
-		if( !$wgUser->canSendEmail() ) {
-			wfDebug( "User can't send.\n" );
-			return array( "mailnologin", "mailnologintext" );
-		}
 		
-		if( $wgUser->isBlockedFromEmailuser() ) {
-			wfDebug( "User is blocked from sending e-mail.\n" );
-			return array( "blockedemailuser", "" );
-		}
-	
 		if ( "" == $target ) {
 			wfDebug( "Target is empty.\n" );
 			return array( "notargettitle", "notargettext" );
@@ -248,6 +247,29 @@ class EmailUserForm {
 			return array( "noemailtitle", "noemailtext" );
 		}
 		
+		return $nu;
+	}
+	static function getPermissionsError ( $user, $editToken ) {
+		if( !$user->canSendEmail() ) {
+			wfDebug( "User can't send.\n" );
+			return array( "mailnologin", "mailnologintext" );
+		}
+		
+		if( $user->isBlockedFromEmailuser() ) {
+			wfDebug( "User is blocked from sending e-mail.\n" );
+			return array( "blockedemailuser", "" );
+		}
+		
+		if( $user->pingLimiter( 'emailuser' ) ) {
+			wfDebug( "Ping limiter triggered.\n" );	
+			return array( 'actionthrottledtext', '' );
+		}
+		
+		if( !$user->matchEditToken( $editToken ) ) {
+			wfDebug( "Matching edit token failed.\n" );
+			return array( 'sessionfailure', '' );
+		}
+		
 		return;
 	}
 	
diff --git a/includes/api/ApiEmailUser.php b/includes/api/ApiEmailUser.php
index ae879c0571..a801773058 100644
--- a/includes/api/ApiEmailUser.php
+++ b/includes/api/ApiEmailUser.php
@@ -50,21 +50,18 @@ class ApiEmailUser extends ApiBase {
 		if ( !isset( $params['token'] ) )
 			$this->dieUsageMsg( array( 'missingparam', 'token' ) );	
 		
-		// Match edit token
-		if( !$wgUser->matchEditToken( $params['token'] ) )
-			$this->dieUsageMsg( array( 'sessionfailure' ) );
+		// Validate target 
+		$targetUser = EmailUserForm::validateEmailTarget( $params['target'] );
+		if ( !( $targetUser instanceof User ) )
+			$this->dieUsageMsg( $targetUser[0] );
 		
 		// Check permissions
-		$errors = EmailUserForm::getPermissionsError( $params['target'] );
-		if ( $errors )
-			$this->dieUsageMsg( $errors[0] );
+		$error = EmailUserForm::getPermissionsError( $wgUser, $params['token'] );
+		if ( $error )
+			$this->dieUsageMsg( array( $error[0] ) );
 		
-		// Rate limiter
-		if( $wgUser->pingLimiter( 'emailuser' ) )
-			$this->dieUsageMsg( 'actionthrottledtext' );
 			
-		$form = EmailUserForm::newFromURL( $params['target'],
-			$params['text'], $params['subject'], $params['ccme'] );
+		$form = new EmailUserForm( $targetUser, $params['text'], $params['subject'], $params['ccme'] );
 		$retval = $form->doSubmit();
 		if ( is_null( $retval ) )
 			$result = array();
-- 
2.20.1