dépôts / lhc / web / wiklou.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ApiEditPage: Test for bad redirect targets
[lhc/web/wiklou.git] / includes / api / ApiEditPage.php
1 <?php
2 /**
3 * Copyright © 2007 Iker Labarga "<Firstname><Lastname>@gmail.com"
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
19 *
20 * @file
21 */
22
23 /**
24 * A module that allows for editing and creating pages.
25 *
26 * Currently, this wraps around the EditPage class in an ugly way,
27 * EditPage.php should be rewritten to provide a cleaner interface,
28 * see T20654 if you're inspired to fix this.
29 *
30 * @ingroup API
31 */
32 class ApiEditPage extends ApiBase {
33 public function execute() {
34 $this->useTransactionalTimeLimit();
35
36 $user = $this->getUser();
37 $params = $this->extractRequestParams();
38
39 $this->requireAtLeastOneParameter( $params, 'text', 'appendtext', 'prependtext', 'undo' );
40
41 $pageObj = $this->getTitleOrPageId( $params );
42 $titleObj = $pageObj->getTitle();
43 $apiResult = $this->getResult();
44
45 if ( $params['redirect'] ) {
46 if ( $params['prependtext'] === null && $params['appendtext'] === null
47 && $params['section'] !== 'new'
48 ) {
49 $this->dieWithError( 'apierror-redirect-appendonly' );
50 }
51 if ( $titleObj->isRedirect() ) {
52 $oldTitle = $titleObj;
53
54 $titles = Revision::newFromTitle( $oldTitle, false, Revision::READ_LATEST )
55 ->getContent( Revision::FOR_THIS_USER, $user )
56 ->getRedirectChain();
57 // array_shift( $titles );
58
59 $redirValues = [];
60
61 /** @var Title $newTitle */
62 foreach ( $titles as $id => $newTitle ) {
63 if ( !isset( $titles[$id - 1] ) ) {
64 $titles[$id - 1] = $oldTitle;
65 }
66
67 $redirValues[] = [
68 'from' => $titles[$id - 1]->getPrefixedText(),
69 'to' => $newTitle->getPrefixedText()
70 ];
71
72 $titleObj = $newTitle;
73
74 // T239428: Check whether the new title is valid
75 if ( $titleObj->isExternal() || !$titleObj->canExist() ) {
76 $redirValues[count( $redirValues ) - 1]['to'] = $titleObj->getFullText();
77 $this->dieWithError(
78 [
79 'apierror-edit-invalidredirect',
80 Message::plaintextParam( $oldTitle->getPrefixedText() ),
81 Message::plaintextParam( $titleObj->getFullText() ),
82 ],
83 'edit-invalidredirect',
84 [ 'redirects' => $redirValues ]
85 );
86 }
87 }
88
89 ApiResult::setIndexedTagName( $redirValues, 'r' );
90 $apiResult->addValue( null, 'redirects', $redirValues );
91
92 // Since the page changed, update $pageObj
93 $pageObj = WikiPage::factory( $titleObj );
94 }
95 }
96
97 if ( !isset( $params['contentmodel'] ) || $params['contentmodel'] == '' ) {
98 $contentHandler = $pageObj->getContentHandler();
99 } else {
100 $contentHandler = ContentHandler::getForModelID( $params['contentmodel'] );
101 }
102 $contentModel = $contentHandler->getModelID();
103
104 $name = $titleObj->getPrefixedDBkey();
105 $model = $contentHandler->getModelID();
106
107 if ( $params['undo'] > 0 ) {
108 // allow undo via api
109 } elseif ( $contentHandler->supportsDirectApiEditing() === false ) {
110 $this->dieWithError( [ 'apierror-no-direct-editing', $model, $name ] );
111 }
112
113 if ( !isset( $params['contentformat'] ) || $params['contentformat'] == '' ) {
114 $contentFormat = $contentHandler->getDefaultFormat();
115 } else {
116 $contentFormat = $params['contentformat'];
117 }
118
119 if ( !$contentHandler->isSupportedFormat( $contentFormat ) ) {
120 $this->dieWithError( [ 'apierror-badformat', $contentFormat, $model, $name ] );
121 }
122
123 if ( $params['createonly'] && $titleObj->exists() ) {
124 $this->dieWithError( 'apierror-articleexists' );
125 }
126 if ( $params['nocreate'] && !$titleObj->exists() ) {
127 $this->dieWithError( 'apierror-missingtitle' );
128 }
129
130 // Now let's check whether we're even allowed to do this
131 $this->checkTitleUserPermissions(
132 $titleObj,
133 $titleObj->exists() ? 'edit' : [ 'edit', 'create' ]
134 );
135
136 $toMD5 = $params['text'];
137 if ( !is_null( $params['appendtext'] ) || !is_null( $params['prependtext'] ) ) {
138 $content = $pageObj->getContent();
139
140 if ( !$content ) {
141 if ( $titleObj->getNamespace() == NS_MEDIAWIKI ) {
142 # If this is a MediaWiki:x message, then load the messages
143 # and return the message value for x.
144 $text = $titleObj->getDefaultMessageText();
145 if ( $text === false ) {
146 $text = '';
147 }
148
149 try {
150 $content = ContentHandler::makeContent( $text, $titleObj );
151 } catch ( MWContentSerializationException $ex ) {
152 $this->dieWithException( $ex, [
153 'wrap' => ApiMessage::create( 'apierror-contentserializationexception', 'parseerror' )
154 ] );
155 return;
156 }
157 } else {
158 # Otherwise, make a new empty content.
159 $content = $contentHandler->makeEmptyContent();
160 }
161 }
162
163 // @todo Add support for appending/prepending to the Content interface
164
165 if ( !( $content instanceof TextContent ) ) {
166 $modelName = $contentHandler->getModelID();
167 $this->dieWithError( [ 'apierror-appendnotsupported', $modelName ] );
168 }
169
170 if ( !is_null( $params['section'] ) ) {
171 if ( !$contentHandler->supportsSections() ) {
172 $modelName = $contentHandler->getModelID();
173 $this->dieWithError( [ 'apierror-sectionsnotsupported', $modelName ] );
174 }
175
176 if ( $params['section'] == 'new' ) {
177 // DWIM if they're trying to prepend/append to a new section.
178 $content = null;
179 } else {
180 // Process the content for section edits
181 $section = $params['section'];
182 $content = $content->getSection( $section );
183
184 if ( !$content ) {
185 $this->dieWithError( [ 'apierror-nosuchsection', wfEscapeWikiText( $section ) ] );
186 }
187 }
188 }
189
190 if ( !$content ) {
191 $text = '';
192 } else {
193 $text = $content->serialize( $contentFormat );
194 }
195
196 $params['text'] = $params['prependtext'] . $text . $params['appendtext'];
197 $toMD5 = $params['prependtext'] . $params['appendtext'];
198 }
199
200 if ( $params['undo'] > 0 ) {
201 if ( $params['undoafter'] > 0 ) {
202 if ( $params['undo'] < $params['undoafter'] ) {
203 list( $params['undo'], $params['undoafter'] ) =
204 [ $params['undoafter'], $params['undo'] ];
205 }
206 $undoafterRev = Revision::newFromId( $params['undoafter'] );
207 }
208 $undoRev = Revision::newFromId( $params['undo'] );
209 if ( is_null( $undoRev ) || $undoRev->isDeleted( Revision::DELETED_TEXT ) ) {
210 $this->dieWithError( [ 'apierror-nosuchrevid', $params['undo'] ] );
211 }
212
213 if ( $params['undoafter'] == 0 ) {
214 $undoafterRev = $undoRev->getPrevious();
215 }
216 if ( is_null( $undoafterRev ) || $undoafterRev->isDeleted( Revision::DELETED_TEXT ) ) {
217 $this->dieWithError( [ 'apierror-nosuchrevid', $params['undoafter'] ] );
218 }
219
220 if ( $undoRev->getPage() != $pageObj->getId() ) {
221 $this->dieWithError( [ 'apierror-revwrongpage', $undoRev->getId(),
222 $titleObj->getPrefixedText() ] );
223 }
224 if ( $undoafterRev->getPage() != $pageObj->getId() ) {
225 $this->dieWithError( [ 'apierror-revwrongpage', $undoafterRev->getId(),
226 $titleObj->getPrefixedText() ] );
227 }
228
229 $newContent = $contentHandler->getUndoContent(
230 $pageObj->getRevision(),
231 $undoRev,
232 $undoafterRev
233 );
234
235 if ( !$newContent ) {
236 $this->dieWithError( 'undo-failure', 'undofailure' );
237 }
238 if ( empty( $params['contentmodel'] )
239 && empty( $params['contentformat'] )
240 ) {
241 // If we are reverting content model, the new content model
242 // might not support the current serialization format, in
243 // which case go back to the old serialization format,
244 // but only if the user hasn't specified a format/model
245 // parameter.
246 if ( !$newContent->isSupportedFormat( $contentFormat ) ) {
247 $contentFormat = $undoafterRev->getContentFormat();
248 }
249 // Override content model with model of undid revision.
250 $contentModel = $newContent->getModel();
251 }
252 $params['text'] = $newContent->serialize( $contentFormat );
253 // If no summary was given and we only undid one rev,
254 // use an autosummary
255 if ( is_null( $params['summary'] ) &&
256 $titleObj->getNextRevisionID( $undoafterRev->getId() ) == $params['undo']
257 ) {
258 $params['summary'] = wfMessage( 'undo-summary' )
259 ->params( $params['undo'], $undoRev->getUserText() )->inContentLanguage()->text();
260 }
261 }
262
263 // See if the MD5 hash checks out
264 if ( !is_null( $params['md5'] ) && md5( $toMD5 ) !== $params['md5'] ) {
265 $this->dieWithError( 'apierror-badmd5' );
266 }
267
268 // EditPage wants to parse its stuff from a WebRequest
269 // That interface kind of sucks, but it's workable
270 $requestArray = [
271 'wpTextbox1' => $params['text'],
272 'format' => $contentFormat,
273 'model' => $contentModel,
274 'wpEditToken' => $params['token'],
275 'wpIgnoreBlankSummary' => true,
276 'wpIgnoreBlankArticle' => true,
277 'wpIgnoreSelfRedirect' => true,
278 'bot' => $params['bot'],
279 'wpUnicodeCheck' => EditPage::UNICODE_CHECK,
280 ];
281
282 if ( !is_null( $params['summary'] ) ) {
283 $requestArray['wpSummary'] = $params['summary'];
284 }
285
286 if ( !is_null( $params['sectiontitle'] ) ) {
287 $requestArray['wpSectionTitle'] = $params['sectiontitle'];
288 }
289
290 // TODO: Pass along information from 'undoafter' as well
291 if ( $params['undo'] > 0 ) {
292 $requestArray['wpUndidRevision'] = $params['undo'];
293 }
294
295 // Watch out for basetimestamp == '' or '0'
296 // It gets treated as NOW, almost certainly causing an edit conflict
297 if ( $params['basetimestamp'] !== null && (bool)$this->getMain()->getVal( 'basetimestamp' ) ) {
298 $requestArray['wpEdittime'] = $params['basetimestamp'];
299 } else {
300 $requestArray['wpEdittime'] = $pageObj->getTimestamp();
301 }
302
303 if ( $params['starttimestamp'] !== null ) {
304 $requestArray['wpStarttime'] = $params['starttimestamp'];
305 } else {
306 $requestArray['wpStarttime'] = wfTimestampNow(); // Fake wpStartime
307 }
308
309 if ( $params['minor'] || ( !$params['notminor'] && $user->getOption( 'minordefault' ) ) ) {
310 $requestArray['wpMinoredit'] = '';
311 }
312
313 if ( $params['recreate'] ) {
314 $requestArray['wpRecreate'] = '';
315 }
316
317 if ( !is_null( $params['section'] ) ) {
318 $section = $params['section'];
319 if ( !preg_match( '/^((T-)?\d+|new)$/', $section ) ) {
320 $this->dieWithError( 'apierror-invalidsection' );
321 }
322 $content = $pageObj->getContent();
323 if ( $section !== '0' && $section != 'new'
324 && ( !$content || !$content->getSection( $section ) )
325 ) {
326 $this->dieWithError( [ 'apierror-nosuchsection', $section ] );
327 }
328 $requestArray['wpSection'] = $params['section'];
329 } else {
330 $requestArray['wpSection'] = '';
331 }
332
333 $watch = $this->getWatchlistValue( $params['watchlist'], $titleObj );
334
335 // Deprecated parameters
336 if ( $params['watch'] ) {
337 $watch = true;
338 } elseif ( $params['unwatch'] ) {
339 $watch = false;
340 }
341
342 if ( $watch ) {
343 $requestArray['wpWatchthis'] = '';
344 }
345
346 // Apply change tags
347 if ( $params['tags'] ) {
348 $tagStatus = ChangeTags::canAddTagsAccompanyingChange( $params['tags'], $user );
349 if ( $tagStatus->isOK() ) {
350 $requestArray['wpChangeTags'] = implode( ',', $params['tags'] );
351 } else {
352 $this->dieStatus( $tagStatus );
353 }
354 }
355
356 // Pass through anything else we might have been given, to support extensions
357 // This is kind of a hack but it's the best we can do to make extensions work
358 $requestArray += $this->getRequest()->getValues();
359
360 global $wgTitle, $wgRequest;
361
362 $req = new DerivativeRequest( $this->getRequest(), $requestArray, true );
363
364 // Some functions depend on $wgTitle == $ep->mTitle
365 // TODO: Make them not or check if they still do
366 $wgTitle = $titleObj;
367
368 $articleContext = new RequestContext;
369 $articleContext->setRequest( $req );
370 $articleContext->setWikiPage( $pageObj );
371 $articleContext->setUser( $this->getUser() );
372
373 /** @var Article $articleObject */
374 $articleObject = Article::newFromWikiPage( $pageObj, $articleContext );
375
376 $ep = new EditPage( $articleObject );
377
378 $ep->setApiEditOverride( true );
379 $ep->setContextTitle( $titleObj );
380 $ep->importFormData( $req );
381 $content = $ep->textbox1;
382
383 // Run hooks
384 // Handle APIEditBeforeSave parameters
385 $r = [];
386 // Deprecated in favour of EditFilterMergedContent
387 if ( !Hooks::run( 'APIEditBeforeSave', [ $ep, $content, &$r ], '1.28' ) ) {
388 if ( count( $r ) ) {
389 $r['result'] = 'Failure';
390 $apiResult->addValue( null, $this->getModuleName(), $r );
391
392 return;
393 }
394
395 $this->dieWithError( 'hookaborted' );
396 }
397
398 // Do the actual save
399 $oldRevId = $articleObject->getRevIdFetched();
400 $result = null;
401 // Fake $wgRequest for some hooks inside EditPage
402 // @todo FIXME: This interface SUCKS
403 $oldRequest = $wgRequest;
404 $wgRequest = $req;
405
406 $status = $ep->attemptSave( $result );
407 $wgRequest = $oldRequest;
408
409 switch ( $status->value ) {
410 case EditPage::AS_HOOK_ERROR:
411 case EditPage::AS_HOOK_ERROR_EXPECTED:
412 if ( isset( $status->apiHookResult ) ) {
413 $r = $status->apiHookResult;
414 $r['result'] = 'Failure';
415 $apiResult->addValue( null, $this->getModuleName(), $r );
416 return;
417 }
418 if ( !$status->getErrors() ) {
419 // This appears to be unreachable right now, because all
420 // code paths will set an error. Could change, though.
421 $status->fatal( 'hookaborted' ); //@codeCoverageIgnore
422 }
423 $this->dieStatus( $status );
424
425 // These two cases will normally have been caught earlier, and will
426 // only occur if something blocks the user between the earlier
427 // check and the check in EditPage (presumably a hook). It's not
428 // obvious that this is even possible.
429 // @codeCoverageIgnoreStart
430 case EditPage::AS_BLOCKED_PAGE_FOR_USER:
431 $this->dieWithError(
432 'apierror-blocked',
433 'blocked',
434 [ 'blockinfo' => ApiQueryUserInfo::getBlockInfo( $user->getBlock() ) ]
435 );
436
437 case EditPage::AS_READ_ONLY_PAGE:
438 $this->dieReadOnly();
439 // @codeCoverageIgnoreEnd
440
441 case EditPage::AS_SUCCESS_NEW_ARTICLE:
442 $r['new'] = true;
443 // fall-through
444
445 case EditPage::AS_SUCCESS_UPDATE:
446 $r['result'] = 'Success';
447 $r['pageid'] = intval( $titleObj->getArticleID() );
448 $r['title'] = $titleObj->getPrefixedText();
449 $r['contentmodel'] = $articleObject->getContentModel();
450 $newRevId = $articleObject->getLatest();
451 if ( $newRevId == $oldRevId ) {
452 $r['nochange'] = true;
453 } else {
454 $r['oldrevid'] = intval( $oldRevId );
455 $r['newrevid'] = intval( $newRevId );
456 $r['newtimestamp'] = wfTimestamp( TS_ISO_8601,
457 $pageObj->getTimestamp() );
458 }
459 break;
460
461 default:
462 if ( !$status->getErrors() ) {
463 // EditPage sometimes only sets the status code without setting
464 // any actual error messages. Supply defaults for those cases.
465 switch ( $status->value ) {
466 // Currently needed
467 case EditPage::AS_IMAGE_REDIRECT_ANON:
468 $status->fatal( 'apierror-noimageredirect-anon' );
469 break;
470 case EditPage::AS_IMAGE_REDIRECT_LOGGED:
471 $status->fatal( 'apierror-noimageredirect' );
472 break;
473 case EditPage::AS_CONTENT_TOO_BIG:
474 case EditPage::AS_MAX_ARTICLE_SIZE_EXCEEDED:
475 $status->fatal( 'apierror-contenttoobig', $this->getConfig()->get( 'MaxArticleSize' ) );
476 break;
477 case EditPage::AS_READ_ONLY_PAGE_ANON:
478 $status->fatal( 'apierror-noedit-anon' );
479 break;
480 case EditPage::AS_NO_CHANGE_CONTENT_MODEL:
481 $status->fatal( 'apierror-cantchangecontentmodel' );
482 break;
483 case EditPage::AS_ARTICLE_WAS_DELETED:
484 $status->fatal( 'apierror-pagedeleted' );
485 break;
486 case EditPage::AS_CONFLICT_DETECTED:
487 $status->fatal( 'editconflict' );
488 break;
489
490 // Currently shouldn't be needed, but here in case
491 // hooks use them without setting appropriate
492 // errors on the status.
493 // @codeCoverageIgnoreStart
494 case EditPage::AS_SPAM_ERROR:
495 $status->fatal( 'apierror-spamdetected', $result['spam'] );
496 break;
497 case EditPage::AS_READ_ONLY_PAGE_LOGGED:
498 $status->fatal( 'apierror-noedit' );
499 break;
500 case EditPage::AS_RATE_LIMITED:
501 $status->fatal( 'apierror-ratelimited' );
502 break;
503 case EditPage::AS_NO_CREATE_PERMISSION:
504 $status->fatal( 'nocreate-loggedin' );
505 break;
506 case EditPage::AS_BLANK_ARTICLE:
507 $status->fatal( 'apierror-emptypage' );
508 break;
509 case EditPage::AS_TEXTBOX_EMPTY:
510 $status->fatal( 'apierror-emptynewsection' );
511 break;
512 case EditPage::AS_SUMMARY_NEEDED:
513 $status->fatal( 'apierror-summaryrequired' );
514 break;
515 default:
516 wfWarn( __METHOD__ . ": Unknown EditPage code {$status->value} with no message" );
517 $status->fatal( 'apierror-unknownerror-editpage', $status->value );
518 break;
519 // @codeCoverageIgnoreEnd
520 }
521 }
522 $this->dieStatus( $status );
523 }
524 $apiResult->addValue( null, $this->getModuleName(), $r );
525 }
526
527 public function mustBePosted() {
528 return true;
529 }
530
531 public function isWriteMode() {
532 return true;
533 }
534
535 public function getAllowedParams() {
536 return [
537 'title' => [
538 ApiBase::PARAM_TYPE => 'string',
539 ],
540 'pageid' => [
541 ApiBase::PARAM_TYPE => 'integer',
542 ],
543 'section' => null,
544 'sectiontitle' => [
545 ApiBase::PARAM_TYPE => 'string',
546 ],
547 'text' => [
548 ApiBase::PARAM_TYPE => 'text',
549 ],
550 'summary' => null,
551 'tags' => [
552 ApiBase::PARAM_TYPE => 'tags',
553 ApiBase::PARAM_ISMULTI => true,
554 ],
555 'minor' => false,
556 'notminor' => false,
557 'bot' => false,
558 'basetimestamp' => [
559 ApiBase::PARAM_TYPE => 'timestamp',
560 ],
561 'starttimestamp' => [
562 ApiBase::PARAM_TYPE => 'timestamp',
563 ],
564 'recreate' => false,
565 'createonly' => false,
566 'nocreate' => false,
567 'watch' => [
568 ApiBase::PARAM_DFLT => false,
569 ApiBase::PARAM_DEPRECATED => true,
570 ],
571 'unwatch' => [
572 ApiBase::PARAM_DFLT => false,
573 ApiBase::PARAM_DEPRECATED => true,
574 ],
575 'watchlist' => [
576 ApiBase::PARAM_DFLT => 'preferences',
577 ApiBase::PARAM_TYPE => [
578 'watch',
579 'unwatch',
580 'preferences',
581 'nochange'
582 ],
583 ],
584 'md5' => null,
585 'prependtext' => [
586 ApiBase::PARAM_TYPE => 'text',
587 ],
588 'appendtext' => [
589 ApiBase::PARAM_TYPE => 'text',
590 ],
591 'undo' => [
592 ApiBase::PARAM_TYPE => 'integer',
593 ApiBase::PARAM_MIN => 0,
594 ApiBase::PARAM_RANGE_ENFORCE => true,
595 ],
596 'undoafter' => [
597 ApiBase::PARAM_TYPE => 'integer',
598 ApiBase::PARAM_MIN => 0,
599 ApiBase::PARAM_RANGE_ENFORCE => true,
600 ],
601 'redirect' => [
602 ApiBase::PARAM_TYPE => 'boolean',
603 ApiBase::PARAM_DFLT => false,
604 ],
605 'contentformat' => [
606 ApiBase::PARAM_TYPE => ContentHandler::getAllContentFormats(),
607 ],
608 'contentmodel' => [
609 ApiBase::PARAM_TYPE => ContentHandler::getContentModels(),
610 ],
611 'token' => [
612 // Standard definition automatically inserted
613 ApiBase::PARAM_HELP_MSG_APPEND => [ 'apihelp-edit-param-token' ],
614 ],
615 ];
616 }
617
618 public function needsToken() {
619 return 'csrf';
620 }
621
622 protected function getExamplesMessages() {
623 return [
624 'action=edit&title=Test&summary=test%20summary&' .
625 'text=article%20content&basetimestamp=2007-08-24T12:34:54Z&token=123ABC'
626 => 'apihelp-edit-example-edit',
627 'action=edit&title=Test&summary=NOTOC&minor=&' .
628 'prependtext=__NOTOC__%0A&basetimestamp=2007-08-24T12:34:54Z&token=123ABC'
629 => 'apihelp-edit-example-prepend',
630 'action=edit&title=Test&undo=13585&undoafter=13579&' .
631 'basetimestamp=2007-08-24T12:34:54Z&token=123ABC'
632 => 'apihelp-edit-example-undo',
633 ];
634 }
635
636 public function getHelpUrls() {
637 return 'https://www.mediawiki.org/wiki/Special:MyLanguage/API:Edit';
638 }
639 }
Wiklou, le Wiki du Wiklou