git.heureux-cyclage.org - lhc/web/wiklou.git/commit

author	Aaron Schulz <aschulz@wikimedia.org>
	Thu, 12 May 2016 19:52:00 +0000 (12:52 -0700)
committer	Aaron Schulz <aschulz@wikimedia.org>
	Thu, 11 Aug 2016 01:33:55 +0000 (18:33 -0700)
commit	c2ce6a1b6085cf0cbf0fc2c3542fd36096bf2948
tree	8f2a244d104772a323ac89f8c779e745e4b5af03	tree \| snapshot
parent	b42a366b66c75898d70b0b70eb9be7e73cf0bc35	commit \| diff

Require POST for action=purge in PurgeAction

For the index.php end point, POSTs do not need a token.

This avoids cross-DC writes in active/active DC setups and
avoids DB writes that can be caused by just accidentally
following a link.

There are no links to action=purge by default in MediaWiki.
User scripts that create purge links will continue to work.
However these links will now point to a confirmation form.
To preserve the immediate-purge-redirect effect, these
scripts should be updated to use the API instead.

Bug: T135170
Change-Id: I5749ff470d99c5e3f22e05ff6856394cc05a0f48

includes/DefaultSettings.php		diff \| blob \| history
includes/FeedUtils.php		diff \| blob \| history
includes/actions/PurgeAction.php		diff \| blob \| history