*Don't let the API action=protect set actions that aren't in $wgRestrictionTypes...

*Pass an array to Article::updateRestrictions for the expiry. Though it should allow for separate expiry times, like the normal UI.

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index e0b7135..1500ac8 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -256,6 +256,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
 * list=random now has rnredirect parameter, to get random redirects.
 * Added APIAfterExecute, APIQueryAfterExecute and APIQueryGeneratorAfterExecute
   hooks which allow for extending core modules in a cleaner way
+* action=protect checks for invalid protection types and levels
 
 === Languages updated in 1.14 ===
 

diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index bf90fbe..622b020 100644 (file)
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -702,6 +702,8 @@ abstract class ApiBase {
                'nocreate-missing' => array('code' => 'missingtitle', 'info' => "The article you tried to edit doesn't exist"),
                'nosuchrcid' => array('code' => 'nosuchrcid', 'info' => "There is no change with rcid ``\$1''"),
                'cantpurge' => array('code' => 'cantpurge', 'info' => "Only users with the 'purge' right can purge pages via the API"),
+               'protect-invalidaction' => array('code' => 'protect-invalidaction', 'info' => "Invalid protection type ``\$1''"),
+               'protect-invalidlevel' => array('code' => 'protect-invalidlevel', 'info' => "Invalid protection level ``\$1''"),
 
                // ApiEditPage messages
                'noimageredirect-anon' => array('code' => 'noimageredirect-anon', 'info' => "Anonymous users can't create image redirects"),

diff --git a/includes/api/ApiProtect.php b/includes/api/ApiProtect.php
index 50cf6c6..d0069cf 100644 (file)
--- a/includes/api/ApiProtect.php
+++ b/includes/api/ApiProtect.php
@@ -37,7 +37,7 @@ class ApiProtect extends ApiBase {
        }
 
        public function execute() {
-               global $wgUser;
+               global $wgUser, $wgRestrictionTypes, $wgRestrictionLevels;
                $this->getMain()->requestWriteMode();
                $params = $this->extractRequestParams();
 
@@ -75,6 +75,7 @@ class ApiProtect extends ApiBase {
                }
 
                $protections = array();
+               $expiryarray = array();
                foreach($params['protections'] as $prot)
                {
                        $p = explode('=', $prot);
@@ -83,11 +84,16 @@ class ApiProtect extends ApiBase {
                                $this->dieUsageMsg(array('create-titleexists'));
                        if(!$titleObj->exists() && $p[0] != 'create')
                                $this->dieUsageMsg(array('missingtitles-createonly'));
+                       if(!in_array($p[0], $wgRestrictionTypes) && $p[0] != 'create')
+                               $this->dieUsageMsg(array('protect-invalidaction', $p[0]));
+                       if(!in_array($p[1], $wgRestrictionLevels) && $p[1] != 'all')
+                               $this->dieUsageMsg(array('protect-invalidlevel', $p[1]));
+                       $expiryarray[$p[0]] = $expiry;
                }
 
                if($titleObj->exists()) {
                        $articleObj = new Article($titleObj);
-                       $ok = $articleObj->updateRestrictions($protections, $params['reason'], $params['cascade'], $expiry);
+                       $ok = $articleObj->updateRestrictions($protections, $params['reason'], $params['cascade'], $expiryarray);
                } else
                        $ok = $titleObj->updateTitleProtection($protections['create'], $params['reason'], $expiry);
                if(!$ok)