[MediaWiki-commits] [Gerrit] Changed logged out tokens to use session if already there - change (mediawiki/core)

Sun, 28 Jul 2013 17:48:33 -0700 

Parent5446 has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/76458


Change subject: Changed logged out tokens to use session if already there
......................................................................

Changed logged out tokens to use session if already there

MediaWiki doesn't start sessions for anonymous users unless absolutely
necessary. Because of this, current logic does not give anonymous users
any sort of edit token. However, if for some reason the user already has
a session, there's no reason to not given them an edit token.

This changes edit token logic so that anonymous users who already have a
session started will get a legitimate edit token.

Bug: 38417
Change-Id: Ie59ff9cb4f78844781cf14757f11c538cdd432e0
---
M includes/HTMLForm.php
M includes/User.php
2 files changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/58/76458/1

diff --git a/includes/HTMLForm.php b/includes/HTMLForm.php
index cd440a9..92b9bd2 100644
--- a/includes/HTMLForm.php
+++ b/includes/HTMLForm.php
@@ -345,7 +345,7 @@
                        $submit = true; // no session check needed
                } elseif ( $request->wasPosted() && $request->checkCSRF() ) {
                        $editToken = $request->getVal( 'wpEditToken' );
-                       if ( $this->getUser()->isLoggedIn() || $editToken != 
null ) {
+                       if ( isset( $_SESSION ) || $editToken != null ) {
                                // Session tokens for logged-out users have no 
security value.
                                // However, if the user gave one, check it in 
order to give a nice
                                // "session expired" error instead of 
"permission denied" or such.
diff --git a/includes/User.php b/includes/User.php
index a2d438c..119de90 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -3543,7 +3543,7 @@
                        $request = $this->getRequest();
                }
 
-               if ( $this->isAnon() ) {
+               if ( !isset( $_SESSION ) ) {
                        return EDIT_TOKEN_SUFFIX;
                } else {
                        $token = $request->getSessionData( 'wsEditToken' );

-- 
To view, visit https://gerrit.wikimedia.org/r/76458
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie59ff9cb4f78844781cf14757f11c538cdd432e0
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Parent5446 <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to