From 0927a5045d409dd8634954513ecdb1eced7abb18 Mon Sep 17 00:00:00 2001
From: Fomafix <fomafix@googlemail.com>
Date: Sat, 29 Apr 2017 21:00:04 +0200
Subject: [PATCH] Clear postEdit cookie on server-side

* Load module 'mediawiki.action.view.postEdit' only when needed.
* Transfer message key via JavaScript config variable wgPostEdit.
* The response is maked as not-cachable to prevent that other users get the
  post edit message.

This change redefines the global JavaScript variable wgPostEdit from true
to a string and set it on server-side.

Bug: T164148
Change-Id: Id780bc280ce4a2fa4606141419932b7dcd45157b
---
 includes/EditPage.php                         | 10 ++----
 includes/page/Article.php                     | 12 ++++++-
 resources/Resources.php                       |  1 -
 .../mediawiki.action.view.postEdit.js         | 36 +++++++------------
 4 files changed, 26 insertions(+), 33 deletions(-)

diff --git a/includes/EditPage.php b/includes/EditPage.php
index 0d3c74ff4d..b1f50f089d 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -1452,10 +1452,8 @@ class EditPage {
 	 * This uses a temporary cookie for each revision ID so separate saves will never
 	 * interfere with each other.
 	 *
-	 * The cookie is deleted in the mediawiki.action.view.postEdit JS module after
-	 * the redirect.  It must be clearable by JavaScript code, so it must not be
-	 * marked HttpOnly. The JavaScript code converts the cookie to a wgPostEdit config
-	 * variable.
+	 * Article::view deletes the cookie on server-side after the redirect and
+	 * converts the value to the global JavaScript variable wgPostEdit.
 	 *
 	 * If the variable were set on the server, it would be cached, which is unwanted
 	 * since the post-edit state should only apply to the load right after the save.
@@ -1474,9 +1472,7 @@ class EditPage {
 		}
 
 		$response = RequestContext::getMain()->getRequest()->response();
-		$response->setCookie( $postEditKey, $val, time() + self::POST_EDIT_COOKIE_DURATION, [
-			'httpOnly' => false,
-		] );
+		$response->setCookie( $postEditKey, $val, time() + self::POST_EDIT_COOKIE_DURATION );
 	}
 
 	/**
diff --git a/includes/page/Article.php b/includes/page/Article.php
index ee0ff225ca..3c767f5658 100644
--- a/includes/page/Article.php
+++ b/includes/page/Article.php
@@ -653,7 +653,17 @@ class Article implements Page {
 		$this->showViewFooter();
 		$this->mPage->doViewUpdates( $user, $oldid );
 
-		$outputPage->addModules( 'mediawiki.action.view.postEdit' );
+		# Load the postEdit module if the user just saved this revision
+		# See also EditPage::setPostEditCookie
+		$request = $this->getContext()->getRequest();
+		$cookieKey = EditPage::POST_EDIT_COOKIE_KEY_PREFIX . $this->getRevIdFetched();
+		$postEdit = $request->getCookie( $cookieKey );
+		if ( $postEdit ) {
+			# Clear the cookie. This also prevents caching of the response.
+			$request->response()->clearCookie( $cookieKey );
+			$outputPage->addJsConfigVars( 'wgPostEdit', $postEdit );
+			$outputPage->addModules( 'mediawiki.action.view.postEdit' );
+		}
 	}
 
 	/**
diff --git a/resources/Resources.php b/resources/Resources.php
index eabe42f91d..e53f7bf9ea 100644
--- a/resources/Resources.php
+++ b/resources/Resources.php
@@ -1493,7 +1493,6 @@ return [
 		'scripts' => 'resources/src/mediawiki.action/mediawiki.action.view.postEdit.js',
 		'styles' => 'resources/src/mediawiki.action/mediawiki.action.view.postEdit.less',
 		'dependencies' => [
-			'mediawiki.cookie',
 			'mediawiki.jqueryMsg',
 			'mediawiki.notification'
 		],
diff --git a/resources/src/mediawiki.action/mediawiki.action.view.postEdit.js b/resources/src/mediawiki.action/mediawiki.action.view.postEdit.js
index 87572ecf8b..e25c96a4b4 100644
--- a/resources/src/mediawiki.action/mediawiki.action.view.postEdit.js
+++ b/resources/src/mediawiki.action/mediawiki.action.view.postEdit.js
@@ -22,10 +22,7 @@
 	 * @member mw.hook
 	 */
 
-	var cookieVal,
-		config = mw.config.get( [ 'wgAction', 'wgCurRevisionId' ] ),
-		// This should match EditPage::POST_EDIT_COOKIE_KEY_PREFIX:
-		cookieKey = 'PostEditRevision' + config.wgCurRevisionId;
+	var postEdit = mw.config.get( 'wgPostEdit' );
 
 	function showConfirmation( data ) {
 		var $container, $popup, $content, timeoutId;
@@ -68,26 +65,17 @@
 
 	mw.hook( 'postEdit' ).add( showConfirmation );
 
-	// Only when viewing wiki pages, that exist
-	// (E.g. not on special pages or non-view actions)
-	if ( config.wgCurRevisionId && config.wgAction === 'view' ) {
-		cookieVal = mw.cookie.get( cookieKey );
-		if ( cookieVal ) {
-			mw.config.set( 'wgPostEdit', true );
-
-			mw.hook( 'postEdit' ).fire( {
-				// The following messages can be used here:
-				// postedit-confirmation-saved
-				// postedit-confirmation-created
-				// postedit-confirmation-restored
-				message: mw.msg(
-					'postedit-confirmation-' + cookieVal,
-					mw.user
-				)
-			} );
-
-			mw.cookie.set( cookieKey, null );
-		}
+	if ( postEdit ) {
+		mw.hook( 'postEdit' ).fire( {
+			// The following messages can be used here:
+			// postedit-confirmation-saved
+			// postedit-confirmation-created
+			// postedit-confirmation-restored
+			message: mw.msg(
+				'postedit-confirmation-' + postEdit,
+				mw.user
+			)
+		} );
 	}
 
 }( mediaWiki, jQuery ) );
-- 
2.20.1