From ebb49abd05950066d94fb52639feafdb94a357d3 Mon Sep 17 00:00:00 2001 From: Lucas Werkmeister Date: Fri, 9 Feb 2024 11:49:22 +0100 Subject: [PATCH] SECURITY: Check edit token in Special:MergeLexemes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use a TokenCheckInteractor just like in Special:RedirectEntity and Special:MergeItems in Wikibase. To reduce the risk of merge conflicts, don’t inject the required services nor add imports yet; we can clean this up once this change has been made public. SpecialMergeLexemesTest doesn’t need any changes to keep working as far as I can tell locally. Bug: T357101 Change-Id: Idb48cf22e8d5616cc39e05d59076d5d6073e249c --- src/MediaWiki/Specials/SpecialMergeLexemes.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/MediaWiki/Specials/SpecialMergeLexemes.php b/src/MediaWiki/Specials/SpecialMergeLexemes.php index 99baa94d20..254cb17ec7 100644 --- a/src/MediaWiki/Specials/SpecialMergeLexemes.php +++ b/src/MediaWiki/Specials/SpecialMergeLexemes.php @@ -184,6 +184,19 @@ private function anonymousEditWarning(): string { } private function mergeLexemes( LexemeId $sourceId, LexemeId $targetId ): void { + // TODO inject interactor+localizer once this is public + // phpcs:disable MediaWiki.Classes.FullQualifiedClassName.Found + try { + \Wikibase\Repo\WikibaseRepo::getTokenCheckInteractor() + ->checkRequestToken( $this->getContext(), 'wpEditToken' ); + } catch ( \Wikibase\Repo\Interactors\TokenCheckException $e ) { + $message = \Wikibase\Repo\WikibaseRepo::getExceptionLocalizer() + ->getExceptionMessage( $e ); + $this->showErrorHTML( $message->parse() ); + return; + } + // phpcs:enable + try { $status = $this->mergeInteractor->mergeLexemes( $sourceId, -- 2.44.0