[MediaWiki-commits] [Gerrit] mediawiki...LinkFilter[master]: [SECURITY] Version 3.3: add CSRF protection into the API mod...
Jack Phoenix has submitted this change and it was merged. Change subject: [SECURITY] Version 3.3: add CSRF protection into the API module and the special pages which perform write actions .. [SECURITY] Version 3.3: add CSRF protection into the API module and the special pages which perform write actions Also swapped jQuery to $ in the JS file and fixed a bug in Special:LinkEdit where the redirection to Special:LinkSubmit wasn't always working. Change-Id: I39f619f620325911bccd12d60c2a19df50315fd6 --- M ApiLinkFilter.php M LinkFilter.js M SpecialLinkEdit.php M SpecialLinkSubmit.php M extension.json 5 files changed, 53 insertions(+), 36 deletions(-) Approvals: Jack Phoenix: Verified; Looks good to me, approved diff --git a/ApiLinkFilter.php b/ApiLinkFilter.php index 9a8836a..bc05091 100644 --- a/ApiLinkFilter.php +++ b/ApiLinkFilter.php @@ -63,6 +63,14 @@ return true; } + public function needsToken() { + return 'csrf'; + } + + public function isWriteMode() { + return true; + } + /** * @return String: human-readable module description */ diff --git a/LinkFilter.js b/LinkFilter.js index 46eeeb7..54f14fb 100644 --- a/LinkFilter.js +++ b/LinkFilter.js @@ -3,7 +3,6 @@ * * @file * @author Jack Phoenix- * @date 9 August 2015 */ var LinkFilter = { /** @@ -14,28 +13,25 @@ * @param {Number} ID of the link to approve or reject */ linkAction: function( action, link_id ) { - jQuery( 'div.action-buttons-1' ).hide(); + $( 'div.action-buttons-1' ).hide(); - jQuery.post( - mw.util.wikiScript( 'api' ), { - action: 'linkfilter', - id: link_id, - status: action, - format: 'json' - }, - function( data ) { - var msg; - switch ( action ) { - case 1: - msg = mw.msg( 'linkfilter-admin-accept-success' ); - break; - case 2: - msg = mw.msg( 'linkfilter-admin-reject-success' ); - break; - } - jQuery( '#action-buttons-' + link_id ).html( msg ).show( 1000 ); + ( new mw.Api() ).postWithToken( 'edit', { + action: 'linkfilter', + id: link_id, + status: action, + format: 'json' + } ).done( function( data ) { + var msg; + switch ( action ) { + case 1: + msg = mw.msg( 'linkfilter-admin-accept-success' ); + break; + case 2: + msg = mw.msg( 'linkfilter-admin-reject-success' ); + break; } - ); + $( '#action-buttons-' + link_id ).html( msg ).show( 1000 ); + } ); }, /** @@ -91,28 +87,28 @@ } }; -jQuery( document ).ready( function() { +$( document ).ready( function() { // "Accept" links on Special:LinkApprove - jQuery( 'a.action-accept' ).click( function() { - var that = jQuery( this ); + $( 'a.action-accept' ).click( function() { + var that = $( this ); LinkFilter.linkAction( 1, that.data( 'link-id' ) ); } ); // "Reject" links on Special:LinkApprove - jQuery( 'a.action-reject' ).click( function() { - var that = jQuery( this ); + $( 'a.action-reject' ).click( function() { + var that = $( this ); LinkFilter.linkAction( 2, that.data( 'link-id' ) ); } ); // Textarea on Special:LinkEdit/Special:LinkSubmit - jQuery( 'textarea.lr-input' ).bind( 'keyup', function() { + $( 'textarea.lr-input' ).bind( 'keyup', function() { LinkFilter.limitText( document.link.lf_desc, 300 ); } ).bind( 'keydown', function() { LinkFilter.limitText( document.link.lf_desc, 300 ); } ); // Submit button on Special:LinkEdit/Special:LinkSubmit - jQuery( '#link-submit-button' ).click( function() { + $( '#link-submit-button' ).click( function() { LinkFilter.submitLink(); } ); } ); \ No newline at end of
[MediaWiki-commits] [Gerrit] mediawiki...LinkFilter[master]: [SECURITY] Version 3.3: add CSRF protection into the API mod...
Jack Phoenix has uploaded a new change for review. https://gerrit.wikimedia.org/r/308324 Change subject: [SECURITY] Version 3.3: add CSRF protection into the API module and the special pages which perform write actions .. [SECURITY] Version 3.3: add CSRF protection into the API module and the special pages which perform write actions Also swapped jQuery to $ in the JS file and fixed a bug in Special:LinkEdit where the redirection to Special:LinkSubmit wasn't always working. Change-Id: I39f619f620325911bccd12d60c2a19df50315fd6 --- M ApiLinkFilter.php M LinkFilter.js M SpecialLinkEdit.php M SpecialLinkSubmit.php M extension.json 5 files changed, 53 insertions(+), 36 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/LinkFilter refs/changes/24/308324/1 diff --git a/ApiLinkFilter.php b/ApiLinkFilter.php index 9a8836a..bc05091 100644 --- a/ApiLinkFilter.php +++ b/ApiLinkFilter.php @@ -63,6 +63,14 @@ return true; } + public function needsToken() { + return 'csrf'; + } + + public function isWriteMode() { + return true; + } + /** * @return String: human-readable module description */ diff --git a/LinkFilter.js b/LinkFilter.js index 46eeeb7..54f14fb 100644 --- a/LinkFilter.js +++ b/LinkFilter.js @@ -3,7 +3,6 @@ * * @file * @author Jack Phoenix- * @date 9 August 2015 */ var LinkFilter = { /** @@ -14,28 +13,25 @@ * @param {Number} ID of the link to approve or reject */ linkAction: function( action, link_id ) { - jQuery( 'div.action-buttons-1' ).hide(); + $( 'div.action-buttons-1' ).hide(); - jQuery.post( - mw.util.wikiScript( 'api' ), { - action: 'linkfilter', - id: link_id, - status: action, - format: 'json' - }, - function( data ) { - var msg; - switch ( action ) { - case 1: - msg = mw.msg( 'linkfilter-admin-accept-success' ); - break; - case 2: - msg = mw.msg( 'linkfilter-admin-reject-success' ); - break; - } - jQuery( '#action-buttons-' + link_id ).html( msg ).show( 1000 ); + ( new mw.Api() ).postWithToken( 'edit', { + action: 'linkfilter', + id: link_id, + status: action, + format: 'json' + } ).done( function( data ) { + var msg; + switch ( action ) { + case 1: + msg = mw.msg( 'linkfilter-admin-accept-success' ); + break; + case 2: + msg = mw.msg( 'linkfilter-admin-reject-success' ); + break; } - ); + $( '#action-buttons-' + link_id ).html( msg ).show( 1000 ); + } ); }, /** @@ -91,28 +87,28 @@ } }; -jQuery( document ).ready( function() { +$( document ).ready( function() { // "Accept" links on Special:LinkApprove - jQuery( 'a.action-accept' ).click( function() { - var that = jQuery( this ); + $( 'a.action-accept' ).click( function() { + var that = $( this ); LinkFilter.linkAction( 1, that.data( 'link-id' ) ); } ); // "Reject" links on Special:LinkApprove - jQuery( 'a.action-reject' ).click( function() { - var that = jQuery( this ); + $( 'a.action-reject' ).click( function() { + var that = $( this ); LinkFilter.linkAction( 2, that.data( 'link-id' ) ); } ); // Textarea on Special:LinkEdit/Special:LinkSubmit - jQuery( 'textarea.lr-input' ).bind( 'keyup', function() { + $( 'textarea.lr-input' ).bind( 'keyup', function() { LinkFilter.limitText( document.link.lf_desc, 300 ); } ).bind( 'keydown', function() { LinkFilter.limitText( document.link.lf_desc, 300 ); } ); // Submit button on Special:LinkEdit/Special:LinkSubmit - jQuery( '#link-submit-button' ).click( function() { + $( '#link-submit-button' ).click( function() {