From 491cc4a3209e5ea6361525b56809ceb53c49b15d Mon Sep 17 00:00:00 2001 From: Roan Kattouw Date: Fri, 18 Jan 2008 20:43:59 +0000 Subject: [PATCH] API: Making a bunch of state-changing modules require POST requests. --- RELEASE-NOTES | 1 + includes/api/ApiBase.php | 7 +++++++ includes/api/ApiBlock.php | 2 ++ includes/api/ApiDelete.php | 2 ++ includes/api/ApiLogin.php | 2 ++ includes/api/ApiMain.php | 5 ++++- includes/api/ApiMove.php | 2 ++ includes/api/ApiProtect.php | 2 ++ includes/api/ApiRollback.php | 2 ++ includes/api/ApiUnblock.php | 2 ++ includes/api/ApiUndelete.php | 2 ++ 11 files changed, 28 insertions(+), 1 deletion(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index e560cab4c5..5b350ffd00 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -441,6 +441,7 @@ Full API documentation is available at http://www.mediawiki.org/wiki/API * Added cascade flag to prop=info&inprop=protections * Added wlshow parameter to list=watchlist, similar to rcshow (list=recentchanges) * Added support for image thumbnailing to prop=imageinfo +* action={login,block,delete,move,protect,rollback,unblock,undelete} now must be POSTed === Languages updated in 1.12 === diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php index 400d0c51ed..c1f7d584c7 100644 --- a/includes/api/ApiBase.php +++ b/includes/api/ApiBase.php @@ -652,6 +652,13 @@ abstract class ApiBase { public function isEditMode() { return false; } + + /** + * Indicates whether this module must be called with a POST request + */ + public function mustBePosted() { + return false; + } /** diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php index f59e235c03..43103d047b 100644 --- a/includes/api/ApiBlock.php +++ b/includes/api/ApiBlock.php @@ -113,6 +113,8 @@ class ApiBlock extends ApiBase { $this->getResult()->addValue(null, $this->getModuleName(), $res); } + public function mustBePosted() { return true; } + protected function getAllowedParams() { return array ( 'user' => null, diff --git a/includes/api/ApiDelete.php b/includes/api/ApiDelete.php index 635d316210..1ae5876d70 100644 --- a/includes/api/ApiDelete.php +++ b/includes/api/ApiDelete.php @@ -118,6 +118,8 @@ class ApiDelete extends ApiBase { return array(array('cannotdelete', $article->mTitle->getPrefixedText())); } + public function mustBePosted() { return true; } + protected function getAllowedParams() { return array ( 'title' => null, diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php index 82d32bbba8..54a8a5d731 100644 --- a/includes/api/ApiLogin.php +++ b/includes/api/ApiLogin.php @@ -217,6 +217,8 @@ class ApiLogin extends ApiBase { private function getMemCacheKey() { return wfMemcKey( 'apilogin', 'badlogin', 'ip', wfGetIP() ); } + + public function mustBePosted() { return true; } protected function getAllowedParams() { return array ( diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index be1dcede70..4c294a464d 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -320,8 +320,11 @@ class ApiMain extends ApiBase { return; } } - + if (!$this->mInternalMode) { + // Ignore mustBePosted() for internal calls + if($module->mustBePosted() && !$this->mRequest->wasPosted()) + $this->dieUsage("The {$this->mAction} module requires a POST request", 'mustbeposted'); // See if custom printer is used $this->mPrinter = $module->getCustomPrinter(); diff --git a/includes/api/ApiMove.php b/includes/api/ApiMove.php index 77f21b3b7a..0c219d34e4 100644 --- a/includes/api/ApiMove.php +++ b/includes/api/ApiMove.php @@ -110,6 +110,8 @@ class ApiMove extends ApiBase { $this->getResult()->addValue(null, $this->getModuleName(), $r); } + public function mustBePosted() { return true; } + protected function getAllowedParams() { return array ( 'from' => null, diff --git a/includes/api/ApiProtect.php b/includes/api/ApiProtect.php index 04e2752668..6a32434090 100644 --- a/includes/api/ApiProtect.php +++ b/includes/api/ApiProtect.php @@ -109,6 +109,8 @@ class ApiProtect extends ApiBase { $this->getResult()->addValue(null, $this->getModuleName(), $res); } + public function mustBePosted() { return true; } + protected function getAllowedParams() { return array ( 'title' => null, diff --git a/includes/api/ApiRollback.php b/includes/api/ApiRollback.php index 9107edf5bc..0f37ef9301 100644 --- a/includes/api/ApiRollback.php +++ b/includes/api/ApiRollback.php @@ -86,6 +86,8 @@ class ApiRollback extends ApiBase { $this->getResult()->addValue(null, $this->getModuleName(), $info); } + public function mustBePosted() { return true; } + protected function getAllowedParams() { return array ( 'title' => null, diff --git a/includes/api/ApiUnblock.php b/includes/api/ApiUnblock.php index 842267b5f3..7aaa1d5065 100644 --- a/includes/api/ApiUnblock.php +++ b/includes/api/ApiUnblock.php @@ -82,6 +82,8 @@ class ApiUnblock extends ApiBase { $res['reason'] = $reason; $this->getResult()->addValue(null, $this->getModuleName(), $res); } + + public function mustBePosted() { return true; } protected function getAllowedParams() { return array ( diff --git a/includes/api/ApiUndelete.php b/includes/api/ApiUndelete.php index 06a0ca8cf3..510b7777c8 100644 --- a/includes/api/ApiUndelete.php +++ b/includes/api/ApiUndelete.php @@ -81,6 +81,8 @@ class ApiUndelete extends ApiBase { $this->getResult()->addValue(null, $this->getModuleName(), $info); } + public function mustBePosted() { return true; } + protected function getAllowedParams() { return array ( 'title' => null, -- 2.20.1