protected $mTitle;
protected $mMethod = 'post';
-
+
/**
+ * Form action URL. false means we will use the URL to set Title
* @since 1.19
- * @var false|string
+ * @var bool|string
*/
protected $mAction = false;
* @return Status|boolean
*/
function tryAuthorizedSubmit() {
- $editToken = $this->getRequest()->getVal( 'wpEditToken' );
-
$result = false;
- if ( $this->getMethod() != 'post' || $this->getUser()->matchEditToken( $editToken ) ) {
+
+ $submit = false;
+ if ( $this->getMethod() != 'post' ) {
+ $submit = true; // no session check needed
+ } elseif ( $this->getRequest()->wasPosted() ) {
+ $editToken = $this->getRequest()->getVal( 'wpEditToken' );
+ if ( $this->getUser()->isLoggedIn() || $editToken != null ) {
+ // Session tokens for logged-out users have no security value.
+ // However, if the user gave one, check it in order to give a nice
+ // "session expired" error instead of "permission denied" or such.
+ $submit = $this->getUser()->matchEditToken( $editToken );
+ } else {
+ $submit = true;
+ }
+ }
+
+ if ( $submit ) {
$result = $this->trySubmit();
}
+
return $result;
}
public function getLegend( $key ) {
return wfMsg( "{$this->mMessagePrefix}-$key" );
}
-
+
/**
* Set the value for the action attribute of the form.
- * When set to false (which is the default state), the set title is used.
- *
+ * When set to false (which is the default state), the set title is used.
+ *
* @since 1.19
- *
- * @param string|false $action
+ *
+ * @param string|bool $action
*/
public function setAction( $action ) {
$this->mAction = $action;
}
-
+
}
/**
dépôts / lhc / web / wiklou.git / blobdiff