Move CSRF token handling into MediaWiki\Session\Session

[lhc/web/wiklou.git] / includes / api / ApiBase.php

diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index 5f67a22..425a337 100644 (file)
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -637,6 +637,17 @@ abstract class ApiBase extends ContextSource {
         * @{
         */
 
+       /**
+        * Indicate if the module supports dynamically-determined parameters that
+        * cannot be included in self::getAllowedParams().
+        * @return string|array|Message|null Return null if the module does not
+        *  support additional dynamic parameters, otherwise return a message
+        *  describing them.
+        */
+       public function dynamicParameterDocumentation() {
+               return null;
+       }
+
        /**
         * This method mangles parameter name based on the prefix supplied to the constructor.
         * Override this method to change parameter name during runtime
@@ -1249,11 +1260,10 @@ abstract class ApiBase extends ContextSource {
                        );
                }
 
-               if ( $this->getUser()->matchEditToken(
-                       $token,
-                       $salts[$tokenType],
-                       $this->getRequest()
-               ) ) {
+               $tokenObj = ApiQueryTokens::getToken(
+                       $this->getUser(), $this->getRequest()->getSession(), $salts[$tokenType]
+               );
+               if ( $tokenObj->match( $token ) ) {
                        return true;
                }