Fix bug 2642 : watchdetails message using HTML instead of wiki syntax. Patch by zigge...

[lhc/web/wiklou.git] / includes / SpecialUnlockdb.php

diff --git a/includes/SpecialUnlockdb.php b/includes/SpecialUnlockdb.php
index 589f89f..9184ab0 100644 (file)
--- a/includes/SpecialUnlockdb.php
+++ b/includes/SpecialUnlockdb.php
@@ -1,21 +1,38 @@
 <?php
+/**
+ *
+ * @package MediaWiki
+ * @subpackage SpecialPage
+ */
 
-function wfSpecialUnlockdb()
-{
+/**
+ *
+ */
+function wfSpecialUnlockdb() {
        global $wgUser, $wgOut, $wgRequest;
 
-       if ( ! $wgUser->isDeveloper() ) {
+       if ( ! $wgUser->isAllowed('siteadmin') ) {
                $wgOut->developerRequired();
                return;
        }
-       $action = $wgRequest->getText( 'action' );
+       $action = $wgRequest->getVal( 'action' );
        $f = new DBUnlockForm();
 
-       if ( "success" == $action ) { $f->showSuccess(); }
-       else if ( "submit" == $action ) { $f->doSubmit(); }
-       else { $f->showForm( "" ); }
+       if ( "success" == $action ) {
+               $f->showSuccess();
+       } else if ( "submit" == $action && $wgRequest->wasPosted() &&
+               $wgUser->matchEditToken( $wgRequest->getVal( 'wpEditToken' ) ) ) {
+               $f->doSubmit();
+       } else {
+               $f->showForm( "" );
+       }
 }
 
+/**
+ *
+ * @package MediaWiki
+ * @subpackage SpecialPage
+ */
 class DBUnlockForm {
        function showForm( $err )
        {
@@ -26,30 +43,39 @@ class DBUnlockForm {
 
                if ( "" != $err ) {
                        $wgOut->setSubtitle( wfMsg( "formerror" ) );
-                       $wgOut->addHTML( "<p><font color='red' size='+1'>{$err}</font>\n" );
+                       $wgOut->addHTML( '<p class="error">' . htmlspecialchars( $err ) . "</p>\n" );
                }
-               $lc = wfMsg( "unlockconfirm" );
-               $lb = wfMsg( "unlockbtn" );
+               $lc = htmlspecialchars( wfMsg( "unlockconfirm" ) );
+               $lb = htmlspecialchars( wfMsg( "unlockbtn" ) );
                $titleObj = Title::makeTitle( NS_SPECIAL, "Unlockdb" );
                $action = $titleObj->escapeLocalURL( "action=submit" );
+               $token = htmlspecialchars( $wgUser->editToken() );
+
+               $wgOut->addHTML( <<<END
 
-               $wgOut->addHTML( "<p>
-<form id=\"unlockdb\" method=\"post\" action=\"{$action}\">
-<table border=0><tr>
-<td align=right>
-<input type=checkbox name=\"wpLockConfirm\">
-</td>
-<td align=\"left\">{$lc}<td>
-</tr><tr>
-<td>&nbsp;</td><td align=left>
-<input type=submit name=\"wpLock\" value=\"{$lb}\">
-</td></tr></table>
-</form>\n" );
+<form id="unlockdb" method="post" action="{$action}">
+<table border="0">
+       <tr>
+               <td align="right">
+                       <input type="checkbox" name="wpLockConfirm" />
+               </td>
+               <td align="left">{$lc}</td>
+       </tr>
+       <tr>
+               <td>&nbsp;</td>
+               <td align="left">
+                       <input type="submit" name="wpLock" value="{$lb}" />
+               </td>
+       </tr>
+</table>
+<input type="hidden" name="wpEditToken" value="{$token}" />
+</form>
+END
+);
 
        }
 
-       function doSubmit()
-       {
+       function doSubmit() {
                global $wgOut, $wgUser, $wgLang;
                global $wgRequest, $wgReadOnlyFile;
 
@@ -58,7 +84,7 @@ class DBUnlockForm {
                        $this->showForm( wfMsg( "locknoconfirm" ) );
                        return;
                }
-               if ( ! unlink( $wgReadOnlyFile ) ) {
+               if ( @! unlink( $wgReadOnlyFile ) ) {
                        $wgOut->fileDeleteError( $wgReadOnlyFile );
                        return;
                }
@@ -67,8 +93,7 @@ class DBUnlockForm {
                $wgOut->redirect( $success );
        }
 
-       function showSuccess()
-       {
+       function showSuccess() {
                global $wgOut, $wgUser;
                global $ip;