'basetimestamp' => $baseTime,
'section' => 'new',
'redirect' => true,
- ], null, self::$users['sysop']->getUser() );
+ ] );
$this->assertSame( 'Success', $re['edit']['result'],
"no problems expected when following redirect" );
'text' => 'nix bar!',
'basetimestamp' => $baseTime,
'redirect' => true,
- ], null, self::$users['sysop']->getUser() );
+ ] );
$this->fail( 'redirect-appendonly error expected' );
} catch ( ApiUsageException $ex ) {
'title' => $name,
'text' => 'nix bar!',
'basetimestamp' => $baseTime,
- ], null, self::$users['sysop']->getUser() );
+ ] );
$this->fail( 'edit conflict expected' );
} catch ( ApiUsageException $ex ) {
'text' => 'nix bar!',
'basetimestamp' => $baseTime,
'section' => 'new',
- ], null, self::$users['sysop']->getUser() );
+ ] );
$this->assertSame( 'Success', $re['edit']['result'],
"no edit conflict expected here" );
'text' => 'nix bar!',
'section' => 'new',
'redirect' => true,
- ], null, self::$users['sysop']->getUser() );
+ ] );
$this->assertSame( 'Success', $re['edit']['result'],
"no edit conflict expected here" );
$name = 'Help:' . __FUNCTION__;
$uploader = self::$users['uploader']->getUser();
$sysop = self::$users['sysop']->getUser();
+
$apiResult = $this->doApiRequestWithToken( [
'action' => 'edit',
'title' => $name,
public function testCreateImageRedirectAnon() {
$name = 'File:' . ucfirst( __FUNCTION__ );
- // @todo When ApiTestCase supports anonymous users, this exception
- // should no longer be thrown, and the test can then be updated to test
- // for the actual expected behavior.
$this->setExpectedException( ApiUsageException::class,
- 'Invalid CSRF token.' );
-
- $this->doApiRequestWithToken( [
- 'action' => 'logout',
- ] );
+ "Anonymous users can't create image redirects." );
$this->doApiRequestWithToken( [
'action' => 'edit',
'title' => $name,
'text' => '#REDIRECT [[File:Other file.png]]',
- ] );
+ ], null, new User() );
}
public function testCreateImageRedirectLoggedIn() {
public function testProhibitedAnonymousEdit() {
$name = 'Help:' . ucfirst( __FUNCTION__ );
- // @todo See comment in testCreateImageRedirectAnon
$this->setExpectedException( ApiUsageException::class,
- 'Invalid CSRF token.' );
- $this->setMwGlobals( 'wgRevokePermissions',
- [ '*' => [ 'edit' => true ] ] );
+ 'The action you have requested is limited to users in the group: ' );
- $this->doApiRequestWithToken( [
- 'action' => 'logout',
- ] );
+ $this->setMwGlobals( 'wgRevokePermissions', [ '*' => [ 'edit' => true ] ] );
$this->doApiRequestWithToken( [
'action' => 'edit',
'title' => $name,
'text' => 'Some text',
- ] );
+ ], null, new User() );
}
public function testProhibitedChangeContentModel() {
<?php
+use MediaWiki\Session\SessionManager;
+
abstract class ApiTestCase extends MediaWikiLangTestCase {
protected static $apiUrl;
* @param array|null $session
* @param bool $appendModule
* @param User|null $user
+ * @param string|null $tokenType Set to a string like 'csrf' to send an
+ * appropriate token
*
* @return array
*/
protected function doApiRequest( array $params, array $session = null,
- $appendModule = false, User $user = null
+ $appendModule = false, User $user = null, $tokenType = null
) {
global $wgRequest, $wgUser;
$session = $wgRequest->getSessionArray();
}
+ $sessionObj = SessionManager::singleton()->getEmptySession();
+
+ if ( $session !== null ) {
+ foreach ( $session as $key => $value ) {
+ $sessionObj->set( $key, $value );
+ }
+ }
+
// set up global environment
if ( $user ) {
$wgUser = $user;
}
- $wgRequest = new FauxRequest( $params, true, $session );
+ if ( $tokenType !== null ) {
+ $params['token'] = ApiQueryTokens::getToken(
+ $wgUser, $sessionObj, ApiQueryTokens::getTokenTypeSalts()[$tokenType]
+ )->toString();
+ }
+
+ $wgRequest = new FauxRequest( $params, true, $sessionObj );
RequestContext::getMain()->setRequest( $wgRequest );
RequestContext::getMain()->setUser( $wgUser );
MediaWiki\Auth\AuthManager::resetCache();
}
/**
- * Add an edit token to the API request
- * This is cheating a bit -- we grab a token in the correct format and then
- * add it to the pseudo-session and to the request, without actually
- * requesting a "real" edit token.
+ * Convenience function to access the token parameter of doApiRequest()
+ * more succinctly.
*
* @param array $params Key-value API params
* @param array|null $session Session array
* @param User|null $user A User object for the context
+ * @param string $tokenType Which token type to pass
* @return array Result of the API call
- * @throws Exception In case wsToken is not set in the session
*/
protected function doApiRequestWithToken( array $params, array $session = null,
- User $user = null
+ User $user = null, $tokenType = 'csrf'
) {
- global $wgRequest;
-
- if ( $session === null ) {
- $session = $wgRequest->getSessionArray();
- }
-
- if ( isset( $session['wsToken'] ) && $session['wsToken'] ) {
- // @todo Why does this directly mess with the session? Fix that.
- // add edit token to fake session
- $session['wsTokenSecrets']['default'] = $session['wsToken'];
- // add token to request parameters
- $timestamp = wfTimestamp();
- $params['token'] = hash_hmac( 'md5', $timestamp, $session['wsToken'] ) .
- dechex( $timestamp ) .
- MediaWiki\Session\Token::SUFFIX;
-
- return $this->doApiRequest( $params, $session, false, $user );
- } else {
- throw new Exception( "Session token not available" );
- }
+ return $this->doApiRequest( $params, $session, false, $user, $tokenType );
}
protected function doLogin( $testUser = 'sysop' ) {