For consistent handling of API requests with the 'callback' argument.
Change-Id: Ic6e3483f5e8819498c693650a11728efc1bafcc0
to allow generators to include data in the action=query result.
* New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
used for conditional registration of API modules.
+* Added ApiBase::lacksSameOriginSecurity() to allow modules to easily check if
+ the current request was sent with the 'callback' parameter (or any future
+ method that breaks the same-origin policy).
* The following methods have been deprecated and may be removed in a future
release:
* ApiBase::getDescription
return $this->isMain() ? null : $this->getMain();
}
+ /**
+ * Returns true if the current request breaks the same-origin policy.
+ *
+ * For example, json with callbacks.
+ *
+ * https://en.wikipedia.org/wiki/Same-origin_policy
+ *
+ * @since 1.25
+ * @return bool
+ */
+ public function lacksSameOriginSecurity() {
+ return $this->getMain()->getRequest()->getVal( 'callback' ) !== null;
+ }
+
/**
* Get the path to this module
*
*/
class ApiCreateAccount extends ApiBase {
public function execute() {
- // If we're in JSON callback mode, no tokens can be obtained
- if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
- $this->dieUsage( 'Cannot create account when using a callback', 'aborted' );
+ // If we're in a mode that breaks the same-origin policy, no tokens can
+ // be obtained
+ if ( $this->lacksSameOriginSecurity() ) {
+ $this->dieUsage(
+ 'Cannot create account when the same-origin policy is not applied', 'aborted'
+ );
}
// $loginForm->addNewaccountInternal will throw exceptions
* is reached. The expiry is $this->mLoginThrottle.
*/
public function execute() {
- // If we're in JSON callback mode, no tokens can be obtained
- if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
+ // If we're in a mode that breaks the same-origin policy, no tokens can
+ // be obtained
+ if ( $this->lacksSameOriginSecurity() ) {
$this->getResult()->addValue( null, 'login', array(
'result' => 'Aborted',
- 'reason' => 'Cannot log in when using a callback',
+ 'reason' => 'Cannot log in when the same-origin policy is not applied',
) );
return;
// Remove all modules other than login
global $wgUser;
- if ( $this->getVal( 'callback' ) !== null ) {
- // JSON callback allows cross-site reads.
- // For safety, strip user credentials.
- wfDebug( "API: stripping user credentials for JSON callback\n" );
+ if ( $this->lacksSameOriginSecurity() ) {
+ // If we're in a mode that breaks the same-origin policy, strip
+ // user credentials for security.
+ wfDebug( "API: stripping user credentials when the same-origin policy is not applied\n" );
$wgUser = new User();
$this->getContext()->setUser( $wgUser );
}
);
}
- // If we're in JSON callback mode, no tokens can be obtained
- if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
+ // If we're in a mode that breaks the same-origin policy, no tokens can
+ // be obtained
+ if ( $this->lacksSameOriginSecurity() ) {
$fld_token = false;
}
return $this->tokenFunctions;
}
- // If we're in JSON callback mode, no tokens can be obtained
- if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
+ // If we're in a mode that breaks the same-origin policy, no tokens can
+ // be obtained
+ if ( $this->lacksSameOriginSecurity() ) {
return array();
}
return $this->tokenFunctions;
}
- // If we're in JSON callback mode, no tokens can be obtained
- if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
+ // If we're in a mode that breaks the same-origin policy, no tokens can
+ // be obtained
+ if ( $this->lacksSameOriginSecurity() ) {
return array();
}
return $this->tokenFunctions;
}
- // If we're in JSON callback mode, no tokens can be obtained
- if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
+ // If we're in a mode that breaks the same-origin policy, no tokens can
+ // be obtained
+ if ( $this->lacksSameOriginSecurity() ) {
return array();
}
$params = $this->extractRequestParams();
$res = array();
- if ( $this->getMain()->getRequest()->getVal( 'callback' ) !== null ) {
- $this->setWarning( 'Tokens may not be obtained when using a callback' );
+ if ( $this->lacksSameOriginSecurity() ) {
+ $this->setWarning( 'Tokens may not be obtained when the same-origin policy is not applied' );
return;
}
);
}
if ( isset( $this->prop['preferencestoken'] ) &&
- is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) &&
+ !$this->lacksSameOriginSecurity() &&
$user->isAllowed( 'editmyoptions' )
) {
$vals['preferencestoken'] = $user->getEditToken( '', $this->getMain()->getRequest() );
return $this->tokenFunctions;
}
- // If we're in JSON callback mode, no tokens can be obtained
- if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
+ // If we're in a mode that breaks the same-origin policy, no tokens can
+ // be obtained
+ if ( $this->lacksSameOriginSecurity() ) {
return array();
}
}
private function getTokenTypes() {
- // If we're in JSON callback mode, no tokens can be obtained
- if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
+ // If we're in a mode that breaks the same-origin policy, no tokens can
+ // be obtained
+ if ( $this->lacksSameOriginSecurity() ) {
return array();
}