'rsd' => 'ApiRsd',
'compare' => 'ApiComparePages',
'tokens' => 'ApiTokens',
+ 'checktoken' => 'ApiCheckToken',
// Write modules
'purge' => 'ApiPurge',
'options' => 'ApiOptions',
'imagerotate' => 'ApiImageRotate',
'revisiondelete' => 'ApiRevisionDelete',
+ 'managetags' => 'ApiManageTags',
);
/**
// Remove all modules other than login
global $wgUser;
- if ( $this->getVal( 'callback' ) !== null ) {
- // JSON callback allows cross-site reads.
- // For safety, strip user credentials.
- wfDebug( "API: stripping user credentials for JSON callback\n" );
+ if ( $this->lacksSameOriginSecurity() ) {
+ // If we're in a mode that breaks the same-origin policy, strip
+ // user credentials for security.
+ wfDebug( "API: stripping user credentials when the same-origin policy is not applied\n" );
$wgUser = new User();
$this->getContext()->setUser( $wgUser );
}
$this->mModuleMgr->addModules( self::$Formats, 'format' );
$this->mModuleMgr->addModules( $config->get( 'APIFormatModules' ), 'format' );
+ Hooks::run( 'ApiMain::moduleManager', array( $this->mModuleMgr ) );
+
$this->mResult = new ApiResult( $this );
$this->mEnableWrite = $enableWrite;
$out->addVaryHeader( 'X-Forwarded-Proto' );
}
+ // The logic should be:
+ // $this->mCacheControl['max-age'] is set?
+ // Use it, the module knows better than our guess.
+ // !$this->mModule || $this->mModule->isWriteMode(), and mCacheMode is private?
+ // Use 0 because we can guess caching is probably the wrong thing to do.
+ // Use $this->getParameter( 'maxage' ), which already defaults to 0.
+ $maxage = 0;
+ if ( isset( $this->mCacheControl['max-age'] ) ) {
+ $maxage = $this->mCacheControl['max-age'];
+ } elseif ( ( $this->mModule && !$this->mModule->isWriteMode() ) ||
+ $this->mCacheMode !== 'private'
+ ) {
+ $maxage = $this->getParameter( 'maxage' );
+ }
+ $privateCache = 'private, must-revalidate, max-age=' . $maxage;
+
if ( $this->mCacheMode == 'private' ) {
- $response->header( 'Cache-Control: private' );
+ $response->header( "Cache-Control: $privateCache" );
return;
}
$response->header( $out->getXVO() );
if ( $out->haveCacheVaryCookies() ) {
// Logged in, mark this request private
- $response->header( 'Cache-Control: private' );
+ $response->header( "Cache-Control: $privateCache" );
return;
}
// Logged out, send normal public headers below
} elseif ( session_id() != '' ) {
// Logged in or otherwise has session (e.g. anonymous users who have edited)
// Mark request private
- $response->header( 'Cache-Control: private' );
+ $response->header( "Cache-Control: $privateCache" );
return;
} // else no XVO and anonymous, send public headers below
// Public cache not requested
// Sending a Vary header in this case is harmless, and protects us
// against conditional calls of setCacheMaxAge().
- $response->header( 'Cache-Control: private' );
+ $response->header( "Cache-Control: $privateCache" );
return;
}