[MediaWiki-commits] [Gerrit] Require post with edit token if $wgRawHtml is set - change (mediawiki...TemplateSandbox)

Mglaser (Code Review) Wed, 17 Dec 2014 12:31:34 -0800

Mglaser has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/180587


Change subject: Require post with edit token if $wgRawHtml is set
......................................................................

Require post with edit token if $wgRawHtml is set

Bug: T76195
Change-Id: Idc6b25689fdaa4640395b9d6e10daa011dea25f9
---
M SpecialTemplateSandbox.php
M i18n/en.json
M i18n/qqq.json
3 files changed, 22 insertions(+), 6 deletions(-)


  git pull 
ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/TemplateSandbox 
refs/changes/87/180587/1

diff --git a/SpecialTemplateSandbox.php b/SpecialTemplateSandbox.php
index cc56023..d011671 100644
--- a/SpecialTemplateSandbox.php
+++ b/SpecialTemplateSandbox.php
@@ -53,6 +53,7 @@
                $this->checkPermissions();
 
                $request = $this->getRequest();
+               $requirePost = $this->getConfig()->get( 'RawHtml' );
 
                if ( $par !== null && !$request->getCheck( 'page' ) ) {
                        $request->setVal( 'page', $par );
@@ -92,7 +93,7 @@
                                'rows' => 5,
                        ),
                ), $this->getContext() );
-               $form->setMethod( 'get' );
+               $form->setMethod( $requirePost ? 'post' : 'get' );
                $form->setSubmitCallback( array( $this, 'onSubmit' ) );
                $form->setWrapperLegend( $this->msg( 'templatesandbox-legend' ) 
);
                $form->addHeaderText( $this->msg( 'templatesandbox-text' 
)->parseAsBlock() );
@@ -100,12 +101,23 @@
 
                $form->prepareForm();
                if ( $request->getCheck( 'page' ) || $request->getCheck( 
'revid' ) ) {
-                       $form->displayForm( $form->trySubmit() );
+                       $form->displayForm( $form->tryAuthorizedSubmit() );
                } else {
                        $form->displayForm( false );
                }
 
-               if ( $this->output !== null ) {
+               $error = false;
+               if ( $requirePost && $this->getRequest()->wasPosted() ) {
+                       $user = $this->getUser();
+                       if ( $user->isAnon() && !$user->isAllowed( 'edit' ) ) {
+                               $error = 'templatesandbox-fail-post-anon';
+                       } elseif ( !$user->matchEditToken( $request->getVal( 
'wpEditToken' ), '', $request ) ) {
+                               $error = 'templatesandbox-fail-post';
+                       }
+               }
+               if ( $error !== false ) {
+                       $this->getOutput()->wrapWikiMsg( "<div 
class='previewnote'>\n$1\n</div>", $error );
+               } elseif ( $this->output !== null ) {
                        // Wrap output in a div for proper language markup.
                        $pageLang = $this->title->getPageLanguage();
                        $attribs = array( 'lang' => $pageLang->getCode(), 'dir' 
=> $pageLang->getDir(),
@@ -189,7 +201,7 @@
        /**
         * @param $data array
         * @param $form
-        * @return bool|String
+        * @return Status
         */
        public function onSubmit( $data, $form ) {
                if ( $data['revid'] !== '' && $data['revid'] !== null ) {
@@ -199,7 +211,7 @@
                        $title = Title::newFromText( $data['page'] );
                        $rev = Revision::newFromTitle( $title );
                } else {
-                       return $this->msg( 'templatesandbox-page-or-revid' 
)->parseAsBlock();
+                       return Status::newFatal( 
'templatesandbox-page-or-revid' );
                }
 
                wfProfileIn( __METHOD__ );
@@ -221,7 +233,7 @@
 
                wfProfileOut( __METHOD__ );
 
-               return false;
+               return Status::newGood();
        }
 
        /**
diff --git a/i18n/en.json b/i18n/en.json
index 0d17b43..2e4ed64 100644
--- a/i18n/en.json
+++ b/i18n/en.json
@@ -28,6 +28,8 @@
     "templatesandbox-invalid-prefix": "The sandbox prefix you specified is 
invalid.",
     "templatesandbox-prefix-not-local": "The sandbox prefix you specified is 
not local.",
     "templatesandbox-page-or-revid": "You must enter either a page title or a 
revision ID number.",
+    "templatesandbox-fail-post": "<em>Because {{SITENAME}} has raw HTML 
enabled and there was a loss of session data, the preview is hidden as a 
precaution against JavaScript attacks.</em>\n\n<strong>If this is a legitimate 
preview attempt, please try again.</strong>\nIf it still does not work, try 
[[Special:UserLogout|logging out]] and logging back in.",
+    "templatesandbox-fail-post-anon": "<em>Because {{SITENAME}} has raw HTML 
enabled and you are not logged in, the preview is hidden as a precaution 
against JavaScript attacks.</em>\n\n<strong>If this is a legitimate preview 
attempt, please [[Special:UserLogin|log in]] and try again.</strong>",
     "templatesandbox-editform-need-template": "To preview another page with 
this template, a template name must be specified.",
     "templatesandbox-editform-need-title": "To preview another page with this 
template, a page title must be specified.",
     "templatesandbox-editform-invalid-template": "The name of the template you 
specified is invalid.",
diff --git a/i18n/qqq.json b/i18n/qqq.json
index 07e4dfe..70e67c8 100644
--- a/i18n/qqq.json
+++ b/i18n/qqq.json
@@ -30,6 +30,8 @@
        "templatesandbox-invalid-prefix": "Error message displayed when the 
sandbox prefix specified in the special page is invalid.",
        "templatesandbox-prefix-not-local": "Error message displayed when the 
sandbox prefix specified in the special page is not local.",
        "templatesandbox-page-or-revid": "Error message displayed when neither 
a page title nor rev_id is given in the special page.",
+       "templatesandbox-fail-post": "Error message displayed when attempting 
to use Special:TemplateSandbox with an invalid edit token on a wiki with 
$wgRawHtml true.\n\nSee also:\n* {{msg-mw|expand_templates_preview_fail_html}}",
+       "templatesandbox-fail-post-anon": "Error message displayed when 
attempting to use Special:TemplateSandbox as an anon on a wiki with $wgRawHtml 
true and anon editing disabled.\n\nSee also:\n* 
{{msg-mw|expand_templates_preview_fail_html_anon}}",
        "templatesandbox-editform-need-template": "Error message displayed when 
no template name is given for the editpage form.\n\nSee also:\n* 
{{msg-mw|Templatesandbox-editform-need-title}}",
        "templatesandbox-editform-need-title": "Error message displayed when no 
page title is given for the editpage form.\n\nSee also:\n* 
{{msg-mw|Templatesandbox-editform-need-template}}",
        "templatesandbox-editform-invalid-template": "Error message displayed 
when the template name specified for the editpage form is invalid.",

-- 
To view, visit https://gerrit.wikimedia.org/r/180587
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Idc6b25689fdaa4640395b9d6e10daa011dea25f9
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/TemplateSandbox
Gerrit-Branch: REL1_24
Gerrit-Owner: Mglaser <[email protected]>
Gerrit-Reviewer: Anomie <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Require post with edit token if $wgRawHtml is set - change (mediawiki...TemplateSandbox)

Reply via email to