From ff25f6506785016882ac330b12fbfb38caffce94 Mon Sep 17 00:00:00 2001
From: Max Semenik <maxsem.wiki@gmail.com>
Date: Thu, 19 May 2016 14:07:45 -0700
Subject: [PATCH] SECURITY: Don't request data for missing groups

Bug: T135691
Change-Id: Ida263365bcefc105bfa7f137fa096ab15ff9af0b
---
 includes/Tag/TagHandler.php | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/includes/Tag/TagHandler.php b/includes/Tag/TagHandler.php
index 900511b..3e47eb6 100644
--- a/includes/Tag/TagHandler.php
+++ b/includes/Tag/TagHandler.php
@@ -256,6 +256,13 @@ abstract class TagHandler {
 
 
 	protected function saveData( ParserOutput $output ) {
+		$requestedGroups = $output->getExtensionData( 'kartographer_requested' );
+		if ( !$requestedGroups ) {
+			$requestedGroups = [];
+		}
+		$requestedGroups = array_merge( $requestedGroups, $this->showGroups );
+		$output->setExtensionData( 'kartographer_requested', $requestedGroups );
+
 		if ( !$this->geometries ) {
 			return;
 		}
@@ -310,9 +317,17 @@ abstract class TagHandler {
 		}
 
 		$interact = $output->getExtensionData( 'kartographer_interact' );
-		if ( $interact ) {
-			$interact = array_flip( array_unique( $interact ) );
+		$requested = $output->getExtensionData( 'kartographer_requested' ) ?: [];
+		if ( $interact || $requested ) {
+			$interact = array_flip( array_unique( $interact ?: [] ) );
 			$liveData = array_intersect_key( (array)$data, $interact );
+			$requested = array_unique( $requested );
+			// Prevent pointless API requests for missing groups
+			foreach ( $requested as $group ) {
+				if ( !isset( $data->$group ) ) {
+					$liveData[$group] = new stdClass();
+				}
+			}
 			$output->addJsConfigVars( 'wgKartographerLiveData', $liveData );
 		}
 	}
-- 
2.7.2