API debugging flag $wgDebugAPI to disable some security checks

[lhc/web/wiklou.git] / includes / api / ApiMain.php

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 9f88cd6..3f82d3c 100644 (file)
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -785,9 +785,10 @@ class ApiMain extends ApiBase {
         * @param $params Array an array with the request parameters
         */
        protected function setupExternalResponse( $module, $params ) {
-               // Ignore mustBePosted() for internal calls
-               if ( $module->mustBePosted() && !$this->getRequest()->wasPosted() ) {
-                       $this->dieUsageMsg( array( 'mustbeposted', $this->mAction ) );
+               if ( !$this->getRequest()->wasPosted() && $module->mustBePosted() ) {
+                       // Module requires POST. GET request might still be allowed
+                       // if $wgDebugApi is true, otherwise fail.
+                       $this->dieUsageMsgOrDebug( array( 'mustbeposted', $this->mAction ) );
                }
 
                // See if custom printer is used
@@ -925,6 +926,11 @@ class ApiMain extends ApiBase {
         * @param $isError bool
         */
        protected function printResult( $isError ) {
+               global $wgDebugAPI;
+               if( $wgDebugAPI !== false ) {
+                       $this->getResult()->setWarning( 'SECURITY WARNING: $wgDebugAPI is enabled' );
+               }
+
                $this->getResult()->cleanUpUTF8();
                $printer = $this->mPrinter;
                $printer->profileIn();