protected $mTitle;
protected $mMethod = 'post';
+ /**
+ * Form action URL. false means we will use the URL to set Title
+ * @since 1.19
+ * @var bool|string
+ */
+ protected $mAction = false;
+
protected $mUseMultipart = false;
protected $mHiddenFields = array();
protected $mButtons = array();
* @return Status|boolean
*/
function tryAuthorizedSubmit() {
- $editToken = $this->getRequest()->getVal( 'wpEditToken' );
-
$result = false;
- if ( $this->getMethod() != 'post' || $this->getUser()->matchEditToken( $editToken ) ) {
+
+ $submit = false;
+ if ( $this->getMethod() != 'post' ) {
+ $submit = true; // no session check needed
+ } elseif ( $this->getRequest()->wasPosted() ) {
+ $editToken = $this->getRequest()->getVal( 'wpEditToken' );
+ if ( $this->getUser()->isLoggedIn() || $editToken != null ) {
+ // Session tokens for logged-out users have no security value.
+ // However, if the user gave one, check it in order to give a nice
+ // "session expired" error instead of "permission denied" or such.
+ $submit = $this->getUser()->matchEditToken( $editToken );
+ } else {
+ $submit = true;
+ }
+ }
+
+ if ( $submit ) {
$result = $this->trySubmit();
}
+
return $result;
}
: 'application/x-www-form-urlencoded';
# Attributes
$attribs = array(
- 'action' => $this->getTitle()->getFullURL(),
+ 'action' => $this->mAction === false ? $this->getTitle()->getFullURL() : $this->mAction,
'method' => $this->mMethod,
'class' => 'visualClear',
'enctype' => $encType,
public function getLegend( $key ) {
return wfMsg( "{$this->mMessagePrefix}-$key" );
}
+
+ /**
+ * Set the value for the action attribute of the form.
+ * When set to false (which is the default state), the set title is used.
+ *
+ * @since 1.19
+ *
+ * @param string|bool $action
+ */
+ public function setAction( $action ) {
+ $this->mAction = $action;
+ }
+
}
/**
dépôts / lhc / web / wiklou.git / blobdiff