From 3ef40657adfb28ee4ba41e553bdf29c46a9c782d Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@gmail.com>
Date: Fri, 20 Mar 2015 08:09:59 -0700
Subject: [PATCH] SECURITY: action=wbmergeitems needs a csrf token

This will also make the module require a POST request.

Bug: T93365
Change-Id: Ifebb8aac6dcd2d13a1fb104eaa08e05738744573
---
 repo/includes/api/MergeItems.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/repo/includes/api/MergeItems.php b/repo/includes/api/MergeItems.php
index 7f52663..7b952e4 100644
--- a/repo/includes/api/MergeItems.php
+++ b/repo/includes/api/MergeItems.php
@@ -175,6 +175,10 @@ class MergeItems extends ApiBase {
 		);
 	}
 
+	public function needsToken() {
+		return 'csrf';
+	}
+
 	/**
 	 * @see ApiBase::getAllowedParams
 	 */
@@ -194,7 +198,6 @@ class MergeItems extends ApiBase {
 			'summary' => array(
 				ApiBase::PARAM_TYPE => 'string',
 			),
-			'token' => null,
 			'bot' => false
 		);
 	}
-- 
2.1.0