From 1c48deee3b72e65ec66496318f8516ff673586b7 Mon Sep 17 00:00:00 2001
From: Aaron Schulz <aaron@users.mediawiki.org>
Date: Mon, 30 Jan 2012 23:44:34 +0000
Subject: [PATCH] (bug 33992) - "Allow anon a formless purge with POST".
 Changed HTMLForm::tryAuthorizedSubmit() to (a) require post for forms that
 are supposed to be posted and (b) bypass the token check for anons as it
 doesn't really do much except be slightly annoying. The tokens are just
 User::EDIT_TOKEN_SUFFIX in that case.

---
 includes/HTMLForm.php | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/includes/HTMLForm.php b/includes/HTMLForm.php
index acc6b23f2b..7326bf5c1e 100644
--- a/includes/HTMLForm.php
+++ b/includes/HTMLForm.php
@@ -240,12 +240,27 @@ class HTMLForm extends ContextSource {
 	 * @return Status|boolean
 	 */
 	function tryAuthorizedSubmit() {
-		$editToken = $this->getRequest()->getVal( 'wpEditToken' );
-
 		$result = false;
-		if ( $this->getMethod() != 'post' || $this->getUser()->matchEditToken( $editToken ) ) {
+
+		$submit = false;
+		if ( $this->getMethod() != 'post' ) {
+			$submit = true; // no session check needed
+		} elseif ( $this->getRequest()->wasPosted() ) {
+			$editToken = $this->getRequest()->getVal( 'wpEditToken' );
+			if ( $this->getUser()->isLoggedIn() || $editToken != null ) {
+				// Session tokens for logged-out users have no security value.
+				// However, if the user gave one, check it in order to give a nice 
+				// "session expired" error instead of "permission denied" or such.
+				$submit = $this->getUser()->matchEditToken( $editToken );
+			} else {
+				$submit = true;
+			}
+		}
+
+		if ( $submit ) {
 			$result = $this->trySubmit();
 		}
+
 		return $result;
 	}
 
-- 
2.20.1