From 8681dca59cbb892631631dd96844b433b4b1ad69 Mon Sep 17 00:00:00 2001
From: Marius Hoch <hoo@online.de>
Date: Fri, 20 Mar 2015 16:38:58 +0100
Subject: [PATCH] SECURITY: Make action=wbmergeitems need a csrf token

This will also make the module require a POST request.

Bug: T93365
Change-Id: Ife8d7dafce8ec6173226b14ca3f86fb013d8a82b
---
 extensions/Wikibase/repo/includes/api/MergeItems.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/extensions/Wikibase/repo/includes/api/MergeItems.php b/extensions/Wikibase/repo/includes/api/MergeItems.php
index a94e6ab..a73c2d3 100644
--- a/extensions/Wikibase/repo/includes/api/MergeItems.php
+++ b/extensions/Wikibase/repo/includes/api/MergeItems.php
@@ -179,6 +179,10 @@ class MergeItems extends ApiBase {
 		);
 	}
 
+	public function needsToken() {
+		return 'csrf';
+	}
+
 	/**
 	 * @see ApiBase::getAllowedParams
 	 */
@@ -198,7 +202,6 @@ class MergeItems extends ApiBase {
 			'summary' => array(
 				ApiBase::PARAM_TYPE => 'string',
 			),
-			'token' => null,
 			'bot' => false
 		);
 	}
-- 
2.1.0