[MediaWiki-commits] [Gerrit] mediawiki...LinkFilter[master]: [SECURITY] Version 3.3: add CSRF protection into the API mod...
Jack Phoenix has submitted this change and it was merged.
Change subject: [SECURITY] Version 3.3: add CSRF protection into the API module
and the special pages which perform write actions
..
[SECURITY] Version 3.3: add CSRF protection into the API module and the special
pages which perform write actions
Also swapped jQuery to $ in the JS file and fixed a bug in
Special:LinkEdit where the redirection to Special:LinkSubmit wasn't always
working.
Change-Id: I39f619f620325911bccd12d60c2a19df50315fd6
---
M ApiLinkFilter.php
M LinkFilter.js
M SpecialLinkEdit.php
M SpecialLinkSubmit.php
M extension.json
5 files changed, 53 insertions(+), 36 deletions(-)
Approvals:
Jack Phoenix: Verified; Looks good to me, approved
diff --git a/ApiLinkFilter.php b/ApiLinkFilter.php
index 9a8836a..bc05091 100644
--- a/ApiLinkFilter.php
+++ b/ApiLinkFilter.php
@@ -63,6 +63,14 @@
return true;
}
+ public function needsToken() {
+ return 'csrf';
+ }
+
+ public function isWriteMode() {
+ return true;
+ }
+
/**
* @return String: human-readable module description
*/
diff --git a/LinkFilter.js b/LinkFilter.js
index 46eeeb7..54f14fb 100644
--- a/LinkFilter.js
+++ b/LinkFilter.js
@@ -3,7 +3,6 @@
*
* @file
* @author Jack Phoenix
- * @date 9 August 2015
*/
var LinkFilter = {
/**
@@ -14,28 +13,25 @@
* @param {Number} ID of the link to approve or reject
*/
linkAction: function( action, link_id ) {
- jQuery( 'div.action-buttons-1' ).hide();
+ $( 'div.action-buttons-1' ).hide();
- jQuery.post(
- mw.util.wikiScript( 'api' ), {
- action: 'linkfilter',
- id: link_id,
- status: action,
- format: 'json'
- },
- function( data ) {
- var msg;
- switch ( action ) {
- case 1:
- msg = mw.msg(
'linkfilter-admin-accept-success' );
- break;
- case 2:
- msg = mw.msg(
'linkfilter-admin-reject-success' );
- break;
- }
- jQuery( '#action-buttons-' + link_id ).html(
msg ).show( 1000 );
+ ( new mw.Api() ).postWithToken( 'edit', {
+ action: 'linkfilter',
+ id: link_id,
+ status: action,
+ format: 'json'
+ } ).done( function( data ) {
+ var msg;
+ switch ( action ) {
+ case 1:
+ msg = mw.msg(
'linkfilter-admin-accept-success' );
+ break;
+ case 2:
+ msg = mw.msg(
'linkfilter-admin-reject-success' );
+ break;
}
- );
+ $( '#action-buttons-' + link_id ).html( msg ).show(
1000 );
+ } );
},
/**
@@ -91,28 +87,28 @@
}
};
-jQuery( document ).ready( function() {
+$( document ).ready( function() {
// "Accept" links on Special:LinkApprove
- jQuery( 'a.action-accept' ).click( function() {
- var that = jQuery( this );
+ $( 'a.action-accept' ).click( function() {
+ var that = $( this );
LinkFilter.linkAction( 1, that.data( 'link-id' ) );
} );
// "Reject" links on Special:LinkApprove
- jQuery( 'a.action-reject' ).click( function() {
- var that = jQuery( this );
+ $( 'a.action-reject' ).click( function() {
+ var that = $( this );
LinkFilter.linkAction( 2, that.data( 'link-id' ) );
} );
// Textarea on Special:LinkEdit/Special:LinkSubmit
- jQuery( 'textarea.lr-input' ).bind( 'keyup', function() {
+ $( 'textarea.lr-input' ).bind( 'keyup', function() {
LinkFilter.limitText( document.link.lf_desc, 300 );
} ).bind( 'keydown', function() {
LinkFilter.limitText( document.link.lf_desc, 300 );
} );
// Submit button on Special:LinkEdit/Special:LinkSubmit
- jQuery( '#link-submit-button' ).click( function() {
+ $( '#link-submit-button' ).click( function() {
LinkFilter.submitLink();
} );
} );
\ No newline at end of
[MediaWiki-commits] [Gerrit] mediawiki...LinkFilter[master]: [SECURITY] Version 3.3: add CSRF protection into the API mod...
Jack Phoenix has uploaded a new change for review.
https://gerrit.wikimedia.org/r/308324
Change subject: [SECURITY] Version 3.3: add CSRF protection into the API module
and the special pages which perform write actions
..
[SECURITY] Version 3.3: add CSRF protection into the API module and the special
pages which perform write actions
Also swapped jQuery to $ in the JS file and fixed a bug in
Special:LinkEdit where the redirection to Special:LinkSubmit wasn't always
working.
Change-Id: I39f619f620325911bccd12d60c2a19df50315fd6
---
M ApiLinkFilter.php
M LinkFilter.js
M SpecialLinkEdit.php
M SpecialLinkSubmit.php
M extension.json
5 files changed, 53 insertions(+), 36 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/LinkFilter
refs/changes/24/308324/1
diff --git a/ApiLinkFilter.php b/ApiLinkFilter.php
index 9a8836a..bc05091 100644
--- a/ApiLinkFilter.php
+++ b/ApiLinkFilter.php
@@ -63,6 +63,14 @@
return true;
}
+ public function needsToken() {
+ return 'csrf';
+ }
+
+ public function isWriteMode() {
+ return true;
+ }
+
/**
* @return String: human-readable module description
*/
diff --git a/LinkFilter.js b/LinkFilter.js
index 46eeeb7..54f14fb 100644
--- a/LinkFilter.js
+++ b/LinkFilter.js
@@ -3,7 +3,6 @@
*
* @file
* @author Jack Phoenix
- * @date 9 August 2015
*/
var LinkFilter = {
/**
@@ -14,28 +13,25 @@
* @param {Number} ID of the link to approve or reject
*/
linkAction: function( action, link_id ) {
- jQuery( 'div.action-buttons-1' ).hide();
+ $( 'div.action-buttons-1' ).hide();
- jQuery.post(
- mw.util.wikiScript( 'api' ), {
- action: 'linkfilter',
- id: link_id,
- status: action,
- format: 'json'
- },
- function( data ) {
- var msg;
- switch ( action ) {
- case 1:
- msg = mw.msg(
'linkfilter-admin-accept-success' );
- break;
- case 2:
- msg = mw.msg(
'linkfilter-admin-reject-success' );
- break;
- }
- jQuery( '#action-buttons-' + link_id ).html(
msg ).show( 1000 );
+ ( new mw.Api() ).postWithToken( 'edit', {
+ action: 'linkfilter',
+ id: link_id,
+ status: action,
+ format: 'json'
+ } ).done( function( data ) {
+ var msg;
+ switch ( action ) {
+ case 1:
+ msg = mw.msg(
'linkfilter-admin-accept-success' );
+ break;
+ case 2:
+ msg = mw.msg(
'linkfilter-admin-reject-success' );
+ break;
}
- );
+ $( '#action-buttons-' + link_id ).html( msg ).show(
1000 );
+ } );
},
/**
@@ -91,28 +87,28 @@
}
};
-jQuery( document ).ready( function() {
+$( document ).ready( function() {
// "Accept" links on Special:LinkApprove
- jQuery( 'a.action-accept' ).click( function() {
- var that = jQuery( this );
+ $( 'a.action-accept' ).click( function() {
+ var that = $( this );
LinkFilter.linkAction( 1, that.data( 'link-id' ) );
} );
// "Reject" links on Special:LinkApprove
- jQuery( 'a.action-reject' ).click( function() {
- var that = jQuery( this );
+ $( 'a.action-reject' ).click( function() {
+ var that = $( this );
LinkFilter.linkAction( 2, that.data( 'link-id' ) );
} );
// Textarea on Special:LinkEdit/Special:LinkSubmit
- jQuery( 'textarea.lr-input' ).bind( 'keyup', function() {
+ $( 'textarea.lr-input' ).bind( 'keyup', function() {
LinkFilter.limitText( document.link.lf_desc, 300 );
} ).bind( 'keydown', function() {
LinkFilter.limitText( document.link.lf_desc, 300 );
} );
// Submit button on Special:LinkEdit/Special:LinkSubmit
- jQuery( '#link-submit-button' ).click( function() {
+ $( '#link-submit-button' ).click( function() {
