X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/banques/ajouter.php?a=blobdiff_plain;f=includes%2FOutputPage.php;h=2936ca3805f567b36bfb06f5d18cbd3b6744aecd;hb=7cfeed5ad6f70b7099ce9bb86792e7ccf4ff0813;hp=33bd7f8598675c7fb3fc162e510cc44b822487a9;hpb=650aa90f38511a7030921c6bf9a8cb4072b6d8d9;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 33bd7f8598..2936ca3805 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -182,12 +182,14 @@ class OutputPage extends ContextSource { protected $mFeedLinksAppendQuery = null; - /** - * @var int - * The level of 'untrustworthiness' allowed for modules loaded on this page. + /** @var array + * What level of 'untrustworthiness' is allowed in CSS/JS modules loaded on this page? * @see ResourceLoaderModule::$origin + * ResourceLoaderModule::ORIGIN_ALL is assumed unless overridden; */ - protected $mAllowedModuleOrigin = ResourceLoaderModule::ORIGIN_ALL; + protected $mAllowedModules = array( + ResourceLoaderModule::TYPE_COMBINED => ResourceLoaderModule::ORIGIN_ALL, + ); /** @var bool Whether output is disabled. If this is true, the 'output' method will do nothing. */ protected $mDoNothing = false; @@ -1359,53 +1361,59 @@ class OutputPage extends ContextSource { } /** - * Restrict the page to loading modules bundled the software. + * Do not allow scripts which can be modified by wiki users to load on this page; + * only allow scripts bundled with, or generated by, the software. + * Site-wide styles are controlled by a config setting, since they can be + * used to create a custom skin/theme, but not user-specific ones. * - * Disallows the queue to contain any modules which can be modified by wiki - * users to load on this page. + * @todo this should be given a more accurate name */ public function disallowUserJs() { - $this->reduceAllowedModuleOrigin( ResourceLoaderModule::ORIGIN_CORE_INDIVIDUAL ); + $this->reduceAllowedModules( + ResourceLoaderModule::TYPE_SCRIPTS, + ResourceLoaderModule::ORIGIN_CORE_INDIVIDUAL + ); + + // Site-wide styles are controlled by a config setting, see bug 71621 + // for background on why. User styles are never allowed. + if ( $this->getConfig()->get( 'AllowSiteCSSOnRestrictedPages' ) ) { + $styleOrigin = ResourceLoaderModule::ORIGIN_USER_SITEWIDE; + } else { + $styleOrigin = ResourceLoaderModule::ORIGIN_CORE_INDIVIDUAL; + } + $this->reduceAllowedModules( + ResourceLoaderModule::TYPE_STYLES, + $styleOrigin + ); } /** - * Get the level of JavaScript / CSS untrustworthiness allowed on this page. - * + * Show what level of JavaScript / CSS untrustworthiness is allowed on this page * @see ResourceLoaderModule::$origin - * @param string $type Unused: Module origin allowance used to be fragmented by - * ResourceLoaderModule TYPE_ constants. + * @param string $type ResourceLoaderModule TYPE_ constant * @return int ResourceLoaderModule ORIGIN_ class constant */ - public function getAllowedModules( $type = null ) { - return $this->mAllowedModuleOrigin; + public function getAllowedModules( $type ) { + if ( $type == ResourceLoaderModule::TYPE_COMBINED ) { + return min( array_values( $this->mAllowedModules ) ); + } else { + return isset( $this->mAllowedModules[$type] ) + ? $this->mAllowedModules[$type] + : ResourceLoaderModule::ORIGIN_ALL; + } } /** * Set the highest level of CSS/JS untrustworthiness allowed * * @deprecated since 1.24 Raising level of allowed untrusted content is no longer supported. - * Use reduceAllowedModuleOrigin() instead. - * + * Use reduceAllowedModules() instead * @param string $type ResourceLoaderModule TYPE_ constant - * @param int $level ResourceLoaderModule ORIGIN_ constant + * @param int $level ResourceLoaderModule class constant */ public function setAllowedModules( $type, $level ) { wfDeprecated( __METHOD__, '1.24' ); - $this->reduceAllowedModuleOrigin( $level ); - } - - /** - * Limit the highest level of CSS/JS untrustworthiness allowed. - * - * @deprecated since 1.24 Module allowance is no longer fragmented by content type. - * Use reduceAllowedModuleOrigin() instead. - * - * @param string $type ResourceLoaderModule TYPE_ constant - * @param int $level ResourceLoaderModule ORIGIN_ class constant - */ - public function reduceAllowedModules( $type, $level ) { - wfDeprecated( __METHOD__, '1.24' ); - $this->reduceAllowedModuleOrigin( $level ); + $this->reduceAllowedModules( $type, $level ); } /** @@ -1414,10 +1422,11 @@ class OutputPage extends ContextSource { * If passed the same or a higher level than the current level of untrustworthiness set, the * level will remain unchanged. * + * @param string $type * @param int $level ResourceLoaderModule class constant */ - public function reduceAllowedModuleOrigin( $level ) { - $this->mAllowedModuleOrigin = min( $this->mAllowedModuleOrigin, $level ); + public function reduceAllowedModules( $type, $level ) { + $this->mAllowedModules[$type] = min( $this->getAllowedModules( $type ), $level ); } /**