X-Git-Url: http://git.cyclocoop.org/?a=blobdiff_plain;f=includes%2Fspecialpage%2FSpecialPage.php;h=317aa0d7c84ab1929cf97db7ece15cef71b50079;hb=bfc4e41636aca33b943f8522024bd9f8eeac1977;hp=4c3ca54b329021453914cfd979cabff6686a02ab;hpb=2480aae0c97d822e10b50619e7b48b25c45af073;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/specialpage/SpecialPage.php b/includes/specialpage/SpecialPage.php index 4c3ca54b32..317aa0d7c8 100644 --- a/includes/specialpage/SpecialPage.php +++ b/includes/specialpage/SpecialPage.php @@ -352,6 +352,23 @@ class SpecialPage implements MessageLocalizer { return false; } + /** + * Record preserved POST data after a reauthentication. + * + * This is called from checkLoginSecurityLevel() when returning from the + * redirect for reauthentication, if the redirect had been served in + * response to a POST request. + * + * The base SpecialPage implementation does nothing. If your subclass uses + * getLoginSecurityLevel() or checkLoginSecurityLevel(), it should probably + * implement this to do something with the data. + * + * @since 1.32 + * @param array $data + */ + protected function setReauthPostData( array $data ) { + } + /** * Verifies that the user meets the security level, possibly reauthenticating them in the process. * @@ -378,16 +395,42 @@ class SpecialPage implements MessageLocalizer { */ protected function checkLoginSecurityLevel( $level = null ) { $level = $level ?: $this->getName(); + $key = 'SpecialPage:reauth:' . $this->getName(); + $request = $this->getRequest(); + $securityStatus = AuthManager::singleton()->securitySensitiveOperationStatus( $level ); if ( $securityStatus === AuthManager::SEC_OK ) { + $uniqueId = $request->getVal( 'postUniqueId' ); + if ( $uniqueId ) { + $key = $key . ':' . $uniqueId; + $session = $request->getSession(); + $data = $session->getSecret( $key ); + if ( $data ) { + $session->remove( $key ); + $this->setReauthPostData( $data ); + } + } return true; } elseif ( $securityStatus === AuthManager::SEC_REAUTH ) { - $request = $this->getRequest(); $title = self::getTitleFor( 'Userlogin' ); + $queryParams = $request->getQueryValues(); + + if ( $request->wasPosted() ) { + $data = array_diff_assoc( $request->getValues(), $request->getQueryValues() ); + if ( $data ) { + // unique ID in case the same special page is open in multiple browser tabs + $uniqueId = MWCryptRand::generateHex( 6 ); + $key = $key . ':' . $uniqueId; + $queryParams['postUniqueId'] = $uniqueId; + $session = $request->getSession(); + $session->persist(); // Just in case + $session->setSecret( $key, $data ); + } + } + $query = [ 'returnto' => $this->getFullTitle()->getPrefixedDBkey(), - 'returntoquery' => wfArrayToCgi( array_diff_key( $request->getQueryValues(), - [ 'title' => true ] ) ), + 'returntoquery' => wfArrayToCgi( array_diff_key( $queryParams, [ 'title' => true ] ) ), 'force' => $level, ]; $url = $title->getFullURL( $query, false, PROTO_HTTPS ); @@ -568,7 +611,10 @@ class SpecialPage implements MessageLocalizer { public function execute( $subPage ) { $this->setHeaders(); $this->checkPermissions(); - $this->checkLoginSecurityLevel( $this->getLoginSecurityLevel() ); + $securityLevel = $this->getLoginSecurityLevel(); + if ( $securityLevel !== false && !$this->checkLoginSecurityLevel( $securityLevel ) ) { + return; + } $this->outputHeader(); } @@ -615,6 +661,7 @@ class SpecialPage implements MessageLocalizer { * @deprecated since 1.23, use SpecialPage::getPageTitle */ function getTitle( $subpage = false ) { + wfDeprecated( __METHOD__, '1.23' ); return $this->getPageTitle( $subpage ); } @@ -809,7 +856,7 @@ class SpecialPage implements MessageLocalizer { public function getFinalGroupName() { $name = $this->getName(); - // Allow overbidding the group from the wiki side + // Allow overriding the group from the wiki side $msg = $this->msg( 'specialpages-specialpagegroup-' . strtolower( $name ) )->inContentLanguage(); if ( !$msg->isBlank() ) { $group = $msg->text();