From: Brad Jorsch Date: Wed, 16 Mar 2016 14:34:40 +0000 (-0400) Subject: API: Allow fetching login token from action=query&meta=tokens on private wikis X-Git-Tag: 1.31.0-rc.0~7566^2 X-Git-Url: http://git.cyclocoop.org/ecrire?a=commitdiff_plain;h=02cc80c51487e8f277b17c10bbc037f3ee3268c5;p=lhc%2Fweb%2Fwiklou.git API: Allow fetching login token from action=query&meta=tokens on private wikis The problem is that ApiQuery requires the 'read' right even though ApiQueryTokens doesn't. So, we introduce an exception: if action=query gets only meta=tokens (and optionally rawcontinue and indexpageids, since they don't affect anything), no other modules and nothing in the ApiPageSet, ApiQuery::isReadMode() will return false. Bug: T130112 Change-Id: I83dafb0305ff0cb1fc3bac668b88b5d2022e5880 --- diff --git a/includes/api/ApiQuery.php b/includes/api/ApiQuery.php index 43369074ea..733ea2c1b1 100644 --- a/includes/api/ApiQuery.php +++ b/includes/api/ApiQuery.php @@ -552,6 +552,26 @@ class ApiQuery extends ApiBase { return implode( "\n", $moduleDescriptions ); } + public function isReadMode() { + // We need to make an exception for ApiQueryTokens so login tokens can + // be fetched on private wikis. Restrict that exception as much as + // possible: no other modules allowed, and no pageset parameters + // either. We do allow the 'rawcontinue' and 'indexpageids' parameters + // since frameworks might add these unconditionally and they can't + // expose anything here. + $params = array_filter( + array_diff_key( + $this->extractRequestParams() + $this->getPageSet()->extractRequestParams(), + [ 'rawcontinue' => 1, 'indexpageids' => 1 ] + ) + ); + if ( $params === [ 'meta' => [ 'tokens' ] ] ) { + return false; + } + + return true; + } + protected function getExamplesMessages() { return [ 'action=query&prop=revisions&meta=siteinfo&' .