Merge "Special:Search: Remove token from URL when saving settings"

author jenkins-bot <jenkins-bot@gerrit.wikimedia.org>

Mon, 18 Aug 2014 18:30:03 +0000 (18:30 +0000)

committer Gerrit Code Review <gerrit@wikimedia.org>

Mon, 18 Aug 2014 18:30:03 +0000 (18:30 +0000)
author jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
Mon, 18 Aug 2014 18:30:03 +0000 (18:30 +0000)
committer Gerrit Code Review <gerrit@wikimedia.org>
Mon, 18 Aug 2014 18:30:03 +0000 (18:30 +0000)
diff --git a/includes/specials/SpecialSearch.php b/includes/specials/SpecialSearch.php

index 71cd9ba..59d65bc 100644 (file)
--- a/includes/specials/SpecialSearch.php
+++ b/includes/specials/SpecialSearch.php
@@ -96,6 +96,16 @@ class SpecialSearch extends SpecialPage {
                 $search = str_replace( "\n", " ", $request->getText( 'search', $titleParam ) );
  
                 $this->load();
+               if ( !is_null( $request->getVal( 'nsRemember' ) ) ) {
+                       $this->saveNamespaces();
+                       // Remove the token from the URL to prevent the user from inadvertently
+                       // exposing it (e.g. by pasting it into a public wiki page) or undoing
+                       // later settings changes (e.g. by reloading the page).
+                       $query = $request->getValues();
+                       unset( $query['title'], $query['nsRemember'] );
+                       $out->redirect( $this->getPageTitle()->getFullURL( $query ) );
+                       return;
+               }
  
                 $this->searchEngineType = $request->getVal( 'srbackend' );
  
@@ -209,7 +219,6 @@ class SpecialSearch extends SpecialPage {
                 $search = $this->getSearchEngine();
                 $search->setLimitOffset( $this->limit, $this->offset );
                 $search->setNamespaces( $this->namespaces );
-               $this->saveNamespaces();
                 $search->prefix = $this->mPrefix;
                 $term = $search->transformSearchTerm( $term );
  
@@ -516,9 +525,8 @@ class SpecialSearch extends SpecialPage {
                 $request = $this->getRequest();
  
                 if ( $user->isLoggedIn() &&
-                       !is_null( $request->getVal( 'nsRemember' ) ) &&
                         $user->matchEditToken(
-                               $request->getVal( 'nsToken' ),
+                               $request->getVal( 'nsRemember' ),
                                 'searchnamespace',
                                 $request
                         )
@@ -528,7 +536,7 @@ class SpecialSearch extends SpecialPage {
                         foreach ( MWNamespace::getValidNamespaces() as $n ) {
                                 $user->setOption( 'searchNs' . $n, false );
                         }
-                       // The request parameters include all the namespaces we just searched.
+                       // The request parameters include all the namespaces to be searched.
                         // Even if they're the same as an existing profile, they're not eaten.
                         foreach ( $this->namespaces as $n ) {
                                 $user->setOption( 'searchNs' . $n, true );
@@ -932,18 +940,17 @@ class SpecialSearch extends SpecialPage {
                 $remember = '';
                 $user = $this->getUser();
                 if ( $user->isLoggedIn() ) {
-                       $remember .= Html::hidden(
-                               'nsToken',
-                               $user->getEditToken(
-                                       'searchnamespace',
-                                       $this->getRequest()
-                               )
-                       ) .
-                       Xml::checkLabel(
+                       $remember .= Xml::checkLabel(
                                 wfMessage( 'powersearch-remember' )->text(),
                                 'nsRemember',
                                 'mw-search-powersearch-remember',
-                               false
+                               false,
+                               // The token goes here rather than in a hidden field so it
+                               // is only sent when necessary (not every form submission).
+                               array( 'value' => $user->getEditToken(
+                                       'searchnamespace',
+                                       $this->getRequest()
+                               ) )
                         );
                 }
  
diff --git a/resources/src/mediawiki.special/mediawiki.special.search.js b/resources/src/mediawiki.special/mediawiki.special.search.js

index 60cf46a..a4128f9 100644 (file)
--- a/resources/src/mediawiki.special/mediawiki.special.search.js
+++ b/resources/src/mediawiki.special/mediawiki.special.search.js
@@ -48,6 +48,11 @@
                         } );
                 } ).trigger( 'change' );
  
+               // When saving settings, use the proper request method (POST instead of GET).
+               $( '#mw-search-powersearch-remember' ).change( function () {
+                       this.form.method = this.checked ? 'post' : 'get';
+               } ).trigger( 'change' );
+
         } );
  
  }( mediaWiki, jQuery ) );
author	jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
	Mon, 18 Aug 2014 18:30:03 +0000 (18:30 +0000)
committer	Gerrit Code Review <gerrit@wikimedia.org>
	Mon, 18 Aug 2014 18:30:03 +0000 (18:30 +0000)
includes/specials/SpecialSearch.php		patch \| blob \| history
resources/src/mediawiki.special/mediawiki.special.search.js		patch \| blob \| history