From 1f5da24b79f3c28619abb43aa53e04a9031068fe Mon Sep 17 00:00:00 2001 From: Alex Z Date: Thu, 18 Sep 2008 21:30:51 +0000 Subject: [PATCH 1/1] *Don't let the API action=protect set actions that aren't in $wgRestrictionTypes or levels not in $wgRestrictionLevels *Pass an array to Article::updateRestrictions for the expiry. Though it should allow for separate expiry times, like the normal UI. --- RELEASE-NOTES | 1 + includes/api/ApiBase.php | 2 ++ includes/api/ApiProtect.php | 10 ++++++++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index e0b713549e..1500ac8356 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -256,6 +256,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN * list=random now has rnredirect parameter, to get random redirects. * Added APIAfterExecute, APIQueryAfterExecute and APIQueryGeneratorAfterExecute hooks which allow for extending core modules in a cleaner way +* action=protect checks for invalid protection types and levels === Languages updated in 1.14 === diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php index bf90fbe53e..622b020bb6 100644 --- a/includes/api/ApiBase.php +++ b/includes/api/ApiBase.php @@ -702,6 +702,8 @@ abstract class ApiBase { 'nocreate-missing' => array('code' => 'missingtitle', 'info' => "The article you tried to edit doesn't exist"), 'nosuchrcid' => array('code' => 'nosuchrcid', 'info' => "There is no change with rcid ``\$1''"), 'cantpurge' => array('code' => 'cantpurge', 'info' => "Only users with the 'purge' right can purge pages via the API"), + 'protect-invalidaction' => array('code' => 'protect-invalidaction', 'info' => "Invalid protection type ``\$1''"), + 'protect-invalidlevel' => array('code' => 'protect-invalidlevel', 'info' => "Invalid protection level ``\$1''"), // ApiEditPage messages 'noimageredirect-anon' => array('code' => 'noimageredirect-anon', 'info' => "Anonymous users can't create image redirects"), diff --git a/includes/api/ApiProtect.php b/includes/api/ApiProtect.php index 50cf6c65b0..d0069cfed8 100644 --- a/includes/api/ApiProtect.php +++ b/includes/api/ApiProtect.php @@ -37,7 +37,7 @@ class ApiProtect extends ApiBase { } public function execute() { - global $wgUser; + global $wgUser, $wgRestrictionTypes, $wgRestrictionLevels; $this->getMain()->requestWriteMode(); $params = $this->extractRequestParams(); @@ -75,6 +75,7 @@ class ApiProtect extends ApiBase { } $protections = array(); + $expiryarray = array(); foreach($params['protections'] as $prot) { $p = explode('=', $prot); @@ -83,11 +84,16 @@ class ApiProtect extends ApiBase { $this->dieUsageMsg(array('create-titleexists')); if(!$titleObj->exists() && $p[0] != 'create') $this->dieUsageMsg(array('missingtitles-createonly')); + if(!in_array($p[0], $wgRestrictionTypes) && $p[0] != 'create') + $this->dieUsageMsg(array('protect-invalidaction', $p[0])); + if(!in_array($p[1], $wgRestrictionLevels) && $p[1] != 'all') + $this->dieUsageMsg(array('protect-invalidlevel', $p[1])); + $expiryarray[$p[0]] = $expiry; } if($titleObj->exists()) { $articleObj = new Article($titleObj); - $ok = $articleObj->updateRestrictions($protections, $params['reason'], $params['cascade'], $expiry); + $ok = $articleObj->updateRestrictions($protections, $params['reason'], $params['cascade'], $expiryarray); } else $ok = $titleObj->updateTitleProtection($protections['create'], $params['reason'], $expiry); if(!$ok) -- 2.20.1