dépôts / lhc / web / wiklou.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
SECURITY: Require login to preview user CSS pages
[lhc/web/wiklou.git] / includes / OutputPage.php
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index eb3040c..8fb3bc2 100644 (file)
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -2852,7 +2852,6 @@ class OutputPage extends ContextSource {
 
        private function isUserJsPreview() {
                return $this->getConfig()->get( 'AllowUserJs' )
-                       && $this->getUser()->isLoggedIn()
                        && $this->getTitle()
                        && $this->getTitle()->isJsSubpage()
                        && $this->userCanPreview();
@@ -3097,6 +3096,11 @@ class OutputPage extends ContextSource {
                }
 
                $user = $this->getUser();
+
+               if ( !$this->getUser()->isLoggedIn() ) {
+                       // Anons have predictable edit tokens
+                       return false;
+               }
                if ( !$user->matchEditToken( $request->getVal( 'wpEditToken' ) ) ) {
                        return false;
                }
Wiklou, le Wiki du Wiklou