From 006505f417ef32ce97953dd6b41f14234a0bb8b5 Mon Sep 17 00:00:00 2001
From: Lucas Werkmeister <lucas.werkmeister@wikimedia.de>
Date: Fri, 9 Feb 2024 11:49:22 +0100
Subject: [PATCH] SECURITY: Check edit token in Special:MergeLexemes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use a TokenCheckInteractor just like in Special:RedirectEntity and
Special:MergeItems in Wikibase.

To reduce the risk of merge conflicts, put this check directly between
the assignments and checks of $sourceId and $targetId – logically, I’d
like to put it a bit below, just above the try+catch block for the
mergeLexemes() call, but I think the mergeLexemes() call will be touched
soon for T356764 or T356149, so let’s keep a bit of distancef or now.
Once this change has been made public, we can move it down.

Also to reduce the risk of merge conflicts, use FQNs instead of adding
imports (and suppress the associated phpcs errors so that this hopefully
won’t be blocked on CI once it’s uploaded on Gerrit). We can clean this
up later as well.

SpecialMergeLexemesTest doesn’t need any changes to keep working as far
as I can tell locally.

Bug: T357101
Change-Id: Idb48cf22e8d5616cc39e05d59076d5d6073e249c
---
 src/MediaWiki/Specials/SpecialMergeLexemes.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/MediaWiki/Specials/SpecialMergeLexemes.php b/src/MediaWiki/Specials/SpecialMergeLexemes.php
index dca2111390..71de16fd34 100644
--- a/src/MediaWiki/Specials/SpecialMergeLexemes.php
+++ b/src/MediaWiki/Specials/SpecialMergeLexemes.php
@@ -168,6 +168,18 @@ private function anonymousEditWarning(): string {
 	private function mergeLexemes( $serializedSourceId, $serializedTargetId ): void {
 		$sourceId = $this->getLexemeId( $serializedSourceId );
 		$targetId = $this->getLexemeId( $serializedTargetId );
+		// TODO inject interactor+localizer and move this check down a bit once this is public
+		// phpcs:disable MediaWiki.Classes.FullQualifiedClassName.Found
+		try {
+			\Wikibase\Repo\WikibaseRepo::getTokenCheckInteractor()
+				->checkRequestToken( $this->getContext(), 'wpEditToken' );
+		} catch ( \Wikibase\Repo\Interactors\TokenCheckException $e ) {
+			$message = \Wikibase\Repo\WikibaseRepo::getExceptionLocalizer()
+				->getExceptionMessage( $e );
+			$this->showErrorHTML( $message->parse() );
+			return;
+		}
+		// phpcs:enable
 
 		if ( !$sourceId ) {
 			$this->showInvalidLexemeIdError( $serializedSourceId );
-- 
2.43.0