Require POST for action=purge in PurgeAction

For the index.php end point, POSTs do not need a token.

This avoids cross-DC writes in active/active DC setups and
avoids DB writes that can be caused by just accidentally
following a link.

There are no links to action=purge by default in MediaWiki.
User scripts that create purge links will continue to work.
However these links will now point to a confirmation form.
To preserve the immediate-purge-redirect effect, these
scripts should be updated to use the API instead.

Bug: T135170
Change-Id: I5749ff470d99c5e3f22e05ff6856394cc05a0f48

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 8363b32..2ac31bf 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -5051,7 +5051,7 @@ $wgGroupPermissions['user']['upload'] = true;
 $wgGroupPermissions['user']['reupload'] = true;
 $wgGroupPermissions['user']['reupload-shared'] = true;
 $wgGroupPermissions['user']['minoredit'] = true;
-$wgGroupPermissions['user']['purge'] = true; // can use ?action=purge without clicking "ok"
+$wgGroupPermissions['user']['purge'] = true;
 $wgGroupPermissions['user']['sendemail'] = true;
 $wgGroupPermissions['user']['applychangetags'] = true;
 $wgGroupPermissions['user']['changetags'] = true;

diff --git a/includes/FeedUtils.php b/includes/FeedUtils.php
index d7dbd22..071a3db 100644 (file)
--- a/includes/FeedUtils.php
+++ b/includes/FeedUtils.php
@@ -39,6 +39,7 @@ class FeedUtils {
                global $wgRequest, $wgUser;
 
                $purge = $wgRequest->getVal( 'action' ) === 'purge';
+               // Allow users with 'purge' right to clear feed caches
                if ( $purge && $wgUser->isAllowed( 'purge' ) ) {
                        $cache = ObjectCache::getMainWANInstance();
                        $cache->delete( $timekey, 1 );

diff --git a/includes/actions/PurgeAction.php b/includes/actions/PurgeAction.php
index 576533d..b2002ff 100644 (file)
--- a/includes/actions/PurgeAction.php
+++ b/includes/actions/PurgeAction.php
@@ -21,10 +21,7 @@
  */
 
 /**
- * User-requested page cache purging.
- *
- * For users with 'purge', this will directly trigger the cache purging and
- * for users without that right, it will show a confirmation form.
+ * User-requested page cache purging
  *
  * @ingroup Actions
  */
@@ -48,10 +45,6 @@ class PurgeAction extends FormAction {
                return $this->page->doPurge();
        }
 
-       /**
-        * purge is slightly weird because it can be either formed or formless depending
-        * on user permissions
-        */
        public function show() {
                $this->setHeaders();
 
@@ -65,11 +58,7 @@ class PurgeAction extends FormAction {
                        return;
                }
 
-               if ( $user->isAllowed( 'purge' ) ) {
-                       // This will update the database immediately, even on HTTP GET.
-                       // Lots of uses may exist for this feature, so just ignore warnings.
-                       Profiler::instance()->getTransactionProfiler()->resetExpectations();
-
+               if ( $this->getRequest()->wasPosted() ) {
                        $this->redirectParams = wfArrayToCgi( array_diff_key(
                                $this->getRequest()->getQueryValues(),
                                [ 'title' => null, 'action' => null ]