58ec5f03cf
At WMF, we get about 36,000 pre-send warnings from TransactionProfiler (Logstash: mediawiki-rdbms-performance), of which 9000 are from ApiLogout. For example: > Expectation (writes <= 0) by ApiMain::setRequestExpectations not met > (actual: 1): > role-primary: INSERT INTO `cu_changes` (…) VALUES (N,...,N,'X',N,...,N) These are actually fine as-is given that api?action=logout already requires POST method and CSRF tokens. We just didn't indicate yet that it was expected to perform writes (as opposed to using POST for cache reasons or due to query size). Change-Id: I89aa7bf672fbf71f153971ad9c0a5d6fbb7733f5
95 lines
2.5 KiB
PHP
95 lines
2.5 KiB
PHP
<?php
|
|
/**
|
|
* Copyright © 2008 Yuri Astrakhan "<Firstname><Lastname>@gmail.com",
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
* http://www.gnu.org/copyleft/gpl.html
|
|
*
|
|
* @file
|
|
*/
|
|
|
|
use MediaWiki\Session\BotPasswordSessionProvider;
|
|
|
|
/**
|
|
* API module to allow users to log out of the wiki. API equivalent of
|
|
* Special:Userlogout.
|
|
*
|
|
* @ingroup API
|
|
*/
|
|
class ApiLogout extends ApiBase {
|
|
|
|
public function execute() {
|
|
$session = MediaWiki\Session\SessionManager::getGlobalSession();
|
|
|
|
// Handle bot password logout specially
|
|
if ( $session->getProvider() instanceof BotPasswordSessionProvider ) {
|
|
$session->unpersist();
|
|
return;
|
|
}
|
|
|
|
// Make sure it's possible to log out
|
|
if ( !$session->canSetUser() ) {
|
|
$this->dieWithError(
|
|
[
|
|
'cannotlogoutnow-text',
|
|
$session->getProvider()->describe( $this->getErrorFormatter()->getLanguage() )
|
|
],
|
|
'cannotlogout'
|
|
);
|
|
}
|
|
|
|
$user = $this->getUser();
|
|
$oldName = $user->getName();
|
|
$user->logout();
|
|
|
|
// Give extensions to do something after user logout
|
|
$injected_html = '';
|
|
$this->getHookRunner()->onUserLogoutComplete( $user, $injected_html, $oldName );
|
|
}
|
|
|
|
public function mustBePosted() {
|
|
return true;
|
|
}
|
|
|
|
public function needsToken() {
|
|
return 'csrf';
|
|
}
|
|
|
|
public function isWriteMode() {
|
|
// While core is optimized by default to not require DB writes on log out,
|
|
// these are authenticated POST requests and extensions (eg. CheckUser) are
|
|
// allowed to perform DB writes here without warnings.
|
|
return true;
|
|
}
|
|
|
|
protected function getWebUITokenSalt( array $params ) {
|
|
return 'logoutToken';
|
|
}
|
|
|
|
public function isReadMode() {
|
|
return false;
|
|
}
|
|
|
|
protected function getExamplesMessages() {
|
|
return [
|
|
'action=logout&token=123ABC'
|
|
=> 'apihelp-logout-example-logout',
|
|
];
|
|
}
|
|
|
|
public function getHelpUrls() {
|
|
return 'https://www.mediawiki.org/wiki/Special:MyLanguage/API:Logout';
|
|
}
|
|
}
|