Anomie has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/354646 )
Change subject: ApiSandbox: Indiciate when login is suppressed
......................................................................
ApiSandbox: Indiciate when login is suppressed
ApiMain will add a header to indicate that lacksSameOriginSecurity()
forced the request to be processed as if logged out, and ApiSandbox will
detect this header to display a helpful message on the results page.
Bug: T165797
Change-Id: I56390b31563c75d83cf0a8ffb1b8e4f3283895f0
---
M includes/api/ApiMain.php
M languages/i18n/en.json
M languages/i18n/qqq.json
M resources/Resources.php
M resources/src/mediawiki.special/mediawiki.special.apisandbox.js
5 files changed, 14 insertions(+), 2 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/46/354646/1
diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 00f976e..d7586e0 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -236,6 +236,7 @@
wfDebug( "API: stripping user credentials when
the same-origin policy is not applied\n" );
$wgUser = new User();
$this->getContext()->setUser( $wgUser );
+ $request->response()->header(
'MediaWiki-Login-Suppressed: true' );
}
}
@@ -778,7 +779,8 @@
if ( !$preflight ) {
$response->header(
- 'Access-Control-Expose-Headers:
MediaWiki-API-Error, Retry-After, X-Database-Lag'
+ 'Access-Control-Expose-Headers:
MediaWiki-API-Error, Retry-After, X-Database-Lag, '
+ . 'MediaWiki-Login-Suppressed'
);
}
}
diff --git a/languages/i18n/en.json b/languages/i18n/en.json
index fcdbfdc..04d9dc1 100644
--- a/languages/i18n/en.json
+++ b/languages/i18n/en.json
@@ -2012,6 +2012,7 @@
"apisandbox-sending-request": "Sending API request...",
"apisandbox-loading-results": "Receiving API results...",
"apisandbox-results-error": "An error occurred while loading the API
query response: $1.",
+ "apisandbox-results-login-suppressed": "This request has been processed
as a logged-out user as it could be used to bypass browser Same-Origin
security. Note that ApiSandbox's automatic token handling does not work
properly with such requests, please fill them in manually.",
"apisandbox-request-selectformat-label": "Show request data as:",
"apisandbox-request-format-url-label": "URL query string",
"apisandbox-request-url-label": "Request URL:",
diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json
index fbd943d..a161629 100644
--- a/languages/i18n/qqq.json
+++ b/languages/i18n/qqq.json
@@ -2200,6 +2200,7 @@
"apisandbox-sending-request": "JavaScript message displayed while the
request is being sent.",
"apisandbox-loading-results": "JavaScript message displayed while the
response is being read.",
"apisandbox-results-error": "Displayed as an error message from
JavaScript when the request failed.\n\nParameters:\n* $1 - Error message",
+ "apisandbox-results-login-suppressed": "Displayed as a warning when a
request was processed as a logged-out user to avoid Same-Origin security
bypass.",
"apisandbox-request-selectformat-label": "Label for the format selector
on the results page.",
"apisandbox-request-format-url-label": "Label for the menu item to
select URL format.\n\nSee also:\n*
{{msg-mw|apisandbox-request-selectformat-label}}\n*
{{msg-mw|apisandbox-request-url-label}}",
"apisandbox-request-url-label": "Label for the text field displaying
the URL used to make this request.\n\nSee also:\n*
{{msg-mw|apisandbox-request-format-url-label}}",
diff --git a/resources/Resources.php b/resources/Resources.php
index 4c9934d..1017956 100644
--- a/resources/Resources.php
+++ b/resources/Resources.php
@@ -1900,6 +1900,7 @@
'apisandbox-sending-request',
'apisandbox-loading-results',
'apisandbox-results-error',
+ 'apisandbox-results-login-suppressed',
'apisandbox-request-selectformat-label',
'apisandbox-request-format-url-label',
'apisandbox-request-url-label',
diff --git a/resources/src/mediawiki.special/mediawiki.special.apisandbox.js
b/resources/src/mediawiki.special/mediawiki.special.apisandbox.js
index f53850a..6916477 100644
--- a/resources/src/mediawiki.special/mediawiki.special.apisandbox.js
+++ b/resources/src/mediawiki.special/mediawiki.special.apisandbox.js
@@ -1120,9 +1120,16 @@
} )
.done( function ( data, jqXHR ) {
var m, loadTime, button, clear,
- ct =
jqXHR.getResponseHeader( 'Content-Type' );
+ ct =
jqXHR.getResponseHeader( 'Content-Type' ),
+ loginSuppressed =
jqXHR.getResponseHeader( 'MediaWiki-Login-Suppressed' ) || 'false';
$result.empty();
+ if ( loginSuppressed !==
'false' ) {
+ $( '<div>' )
+ .addClass(
'warning' )
+ .append(
Util.parseMsg( 'apisandbox-results-login-suppressed' ) )
+ .appendTo(
$result );
+ }
if (
/^text\/mediawiki-api-prettyprint-wrapped(?:;|$)/.test( ct ) ) {
data = JSON.parse( data
);
if (
data.modules.length ) {
--
To view, visit https://gerrit.wikimedia.org/r/354646
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I56390b31563c75d83cf0a8ffb1b8e4f3283895f0
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Anomie <bjor...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
