* (bug 23548) Allow access of another users watchlist through watchlistraw using token and username
Refactored code into static method, and reused in both places
This commit is contained in:
Sam Reed
parent
ae075ea7e4
commit
3395bae78f
3 changed files with 42 additions and 24 deletions
|
|
@ -180,6 +180,7 @@ in a negative namespace (which is invalid).
|
|||
* (bug 23460) Parse action should have a section option
|
||||
* (bug 21346) Make deleted images searchable by hash
|
||||
* (bug 23461) Normalise usage of parameter names in parameter descriptions
|
||||
* (bug 23548) Allow access of another users watchlist through watchlistraw using token and username
|
||||
|
||||
=== Languages updated in 1.17 ===
|
||||
|
||||
|
|
|
|||
|
|
@ -53,26 +53,11 @@ class ApiQueryWatchlist extends ApiQueryGeneratorBase {
|
|||
$fld_notificationtimestamp = false;
|
||||
|
||||
private function run( $resultPageSet = null ) {
|
||||
global $wgUser;
|
||||
|
||||
$this->selectNamedDB( 'watchlist', DB_SLAVE, 'watchlist' );
|
||||
|
||||
$params = $this->extractRequestParams();
|
||||
|
||||
if ( !is_null( $params['owner'] ) && !is_null( $params['token'] ) ) {
|
||||
$user = User::newFromName( $params['owner'], false );
|
||||
if ( !$user->getId() ) {
|
||||
$this->dieUsage( 'Specified user does not exist', 'bad_wlowner' );
|
||||
}
|
||||
$token = $user->getOption( 'watchlisttoken' );
|
||||
if ( $token == '' || $token != $params['token'] ) {
|
||||
$this->dieUsage( 'Incorrect watchlist token provided -- please set a correct token in Special:Preferences', 'bad_wltoken' );
|
||||
}
|
||||
} elseif ( !$wgUser->isLoggedIn() ) {
|
||||
$this->dieUsage( 'You must be logged-in to have a watchlist', 'notloggedin' );
|
||||
} else {
|
||||
$user = $wgUser;
|
||||
}
|
||||
|
||||
$user = ApiQueryWatchlist::getWatchlistUser( $params );
|
||||
|
||||
if ( !is_null( $params['prop'] ) && is_null( $resultPageSet ) ) {
|
||||
$prop = array_flip( $params['prop'] );
|
||||
|
|
@ -290,6 +275,30 @@ class ApiQueryWatchlist extends ApiQueryGeneratorBase {
|
|||
return $vals;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the user for whom to get the watchlist for
|
||||
*
|
||||
* @returns User
|
||||
*/
|
||||
public static function getWatchlistUser( $params ) {
|
||||
global $wgUser;
|
||||
if ( !is_null( $params['owner'] ) && !is_null( $params['token'] ) ) {
|
||||
$user = User::newFromName( $params['owner'], false );
|
||||
if ( !$user->getId() ) {
|
||||
$this->dieUsage( 'Specified user does not exist', 'bad_wlowner' );
|
||||
}
|
||||
$token = $user->getOption( 'watchlisttoken' );
|
||||
if ( $token == '' || $token != $params['token'] ) {
|
||||
$this->dieUsage( 'Incorrect watchlist token provided -- please set a correct token in Special:Preferences', 'bad_wltoken' );
|
||||
}
|
||||
} elseif ( !$wgUser->isLoggedIn() ) {
|
||||
$this->dieUsage( 'You must be logged-in to have a watchlist', 'notloggedin' );
|
||||
} else {
|
||||
$user = $wgUser;
|
||||
}
|
||||
return $user;
|
||||
}
|
||||
|
||||
public function getAllowedParams() {
|
||||
return array(
|
||||
'allrev' => false,
|
||||
|
|
|
|||
|
|
@ -49,14 +49,12 @@ class ApiQueryWatchlistRaw extends ApiQueryGeneratorBase {
|
|||
}
|
||||
|
||||
private function run( $resultPageSet = null ) {
|
||||
global $wgUser;
|
||||
|
||||
$this->selectNamedDB( 'watchlist', DB_SLAVE, 'watchlist' );
|
||||
|
||||
if ( !$wgUser->isLoggedIn() ) {
|
||||
$this->dieUsage( 'You must be logged-in to have a watchlist', 'notloggedin' );
|
||||
}
|
||||
|
||||
$params = $this->extractRequestParams();
|
||||
|
||||
$user = ApiQueryWatchlist::getWatchlistUser( $params );
|
||||
|
||||
$prop = array_flip( (array)$params['prop'] );
|
||||
$show = array_flip( (array)$params['show'] );
|
||||
if ( isset( $show['changed'] ) && isset( $show['!changed'] ) ) {
|
||||
|
|
@ -66,7 +64,7 @@ class ApiQueryWatchlistRaw extends ApiQueryGeneratorBase {
|
|||
$this->addTables( 'watchlist' );
|
||||
$this->addFields( array( 'wl_namespace', 'wl_title' ) );
|
||||
$this->addFieldsIf( 'wl_notificationtimestamp', isset( $prop['changed'] ) );
|
||||
$this->addWhereFld( 'wl_user', $wgUser->getId() );
|
||||
$this->addWhereFld( 'wl_user', $user->getId() );
|
||||
$this->addWhereFld( 'wl_namespace', $params['namespace'] );
|
||||
$this->addWhereIf( 'wl_notificationtimestamp IS NOT NULL', isset( $show['changed'] ) );
|
||||
$this->addWhereIf( 'wl_notificationtimestamp IS NULL', isset( $show['!changed'] ) );
|
||||
|
|
@ -157,6 +155,12 @@ class ApiQueryWatchlistRaw extends ApiQueryGeneratorBase {
|
|||
'changed',
|
||||
'!changed',
|
||||
)
|
||||
),
|
||||
'owner' => array(
|
||||
ApiBase::PARAM_TYPE => 'user'
|
||||
),
|
||||
'token' => array(
|
||||
ApiBase::PARAM_TYPE => 'string'
|
||||
)
|
||||
);
|
||||
}
|
||||
|
|
@ -168,6 +172,8 @@ class ApiQueryWatchlistRaw extends ApiQueryGeneratorBase {
|
|||
'limit' => 'How many total results to return per request',
|
||||
'prop' => 'Which additional properties to get (non-generator mode only)',
|
||||
'show' => 'Only list items that meet these criteria',
|
||||
'owner' => 'The name of the user whose watchlist you\'d like to access',
|
||||
'token' => 'Give a security token (settable in preferences) to allow access to another user\'s watchlist',
|
||||
);
|
||||
}
|
||||
|
||||
|
|
@ -179,6 +185,8 @@ class ApiQueryWatchlistRaw extends ApiQueryGeneratorBase {
|
|||
return array_merge( parent::getPossibleErrors(), array(
|
||||
array( 'code' => 'notloggedin', 'info' => 'You must be logged-in to have a watchlist' ),
|
||||
array( 'show' ),
|
||||
array( 'code' => 'bad_wlowner', 'info' => 'Specified user does not exist' ),
|
||||
array( 'code' => 'bad_wltoken', 'info' => 'Incorrect watchlist token provided -- please set a correct token in Special:Preferences' ),
|
||||
) );
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue