diff options
author | Pierre Schmitz <pierre@archlinux.de> | 2014-11-27 06:08:05 +0100 |
---|---|---|
committer | Pierre Schmitz <pierre@archlinux.de> | 2014-11-27 06:08:05 +0100 |
commit | 888eab1a076a287bddd84fdf9dd9c57154c91e3f (patch) | |
tree | 7264d1dfeb20d833187007cac80a7f7ef6038845 /includes/OutputPage.php | |
parent | 45b4484864b492a40570e99a9f5c87d2512cc6ad (diff) |
Update to MediaWiki 1.22.14
Diffstat (limited to 'includes/OutputPage.php')
-rw-r--r-- | includes/OutputPage.php | 78 |
1 files changed, 45 insertions, 33 deletions
diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 363f2b62..e6d4339f 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -151,12 +151,14 @@ class OutputPage extends ContextSource { var $mFeedLinksAppendQuery = null; - /** - * @var int - * The level of 'untrustworthiness' allowed for modules loaded on this page. + /** @var array + * What level of 'untrustworthiness' is allowed in CSS/JS modules loaded on this page? * @see ResourceLoaderModule::$origin + * ResourceLoaderModule::ORIGIN_ALL is assumed unless overridden; */ - protected $mAllowedModuleOrigin = ResourceLoaderModule::ORIGIN_ALL; + protected $mAllowedModules = array( + ResourceLoaderModule::TYPE_COMBINED => ResourceLoaderModule::ORIGIN_ALL, + ); /** * @EasterEgg I just love the name for this self documenting variable. @@ -1271,13 +1273,31 @@ class OutputPage extends ContextSource { } /** - * Restrict the page to loading modules bundled the software. + * Do not allow scripts which can be modified by wiki users to load on this page; + * only allow scripts bundled with, or generated by, the software. + * Site-wide styles are controlled by a config setting, since they can be + * used to create a custom skin/theme, but not user-specific ones. * - * Disallows the queue to contain any modules which can be modified by wiki - * users to load on this page. + * @todo this should be given a more accurate name */ public function disallowUserJs() { - $this->reduceAllowedModuleOrigin( ResourceLoaderModule::ORIGIN_CORE_INDIVIDUAL ); + global $wgAllowSiteCSSOnRestrictedPages; + $this->reduceAllowedModules( + ResourceLoaderModule::TYPE_SCRIPTS, + ResourceLoaderModule::ORIGIN_CORE_INDIVIDUAL + ); + + // Site-wide styles are controlled by a config setting, see bug 71621 + // for background on why. User styles are never allowed. + if ( $wgAllowSiteCSSOnRestrictedPages ) { + $styleOrigin = ResourceLoaderModule::ORIGIN_USER_SITEWIDE; + } else { + $styleOrigin = ResourceLoaderModule::ORIGIN_CORE_INDIVIDUAL; + } + $this->reduceAllowedModules( + ResourceLoaderModule::TYPE_STYLES, + $styleOrigin + ); } /** @@ -1295,40 +1315,31 @@ class OutputPage extends ContextSource { * Get the level of JavaScript / CSS untrustworthiness allowed on this page. * * @see ResourceLoaderModule::$origin - * @param string $type Unused: Module origin allowance used to be fragmented by - * ResourceLoaderModule TYPE_ constants. - * @return Int ResourceLoaderModule ORIGIN_ class constant + * @param string $type ResourceLoaderModule TYPE_ constant + * @return int ResourceLoaderModule ORIGIN_ class constant */ - public function getAllowedModules( $type = null ) { - return $this->mAllowedModuleOrigin; + public function getAllowedModules( $type ) { + if ( $type == ResourceLoaderModule::TYPE_COMBINED ) { + return min( array_values( $this->mAllowedModules ) ); + } else { + return isset( $this->mAllowedModules[$type] ) + ? $this->mAllowedModules[$type] + : ResourceLoaderModule::ORIGIN_ALL; + } } /** * Set the highest level of CSS/JS untrustworthiness allowed * * @deprecated since 1.24 Raising level of allowed untrusted content is no longer supported. - * Use reduceAllowedModuleOrigin() instead. - * - * @param $type String ResourceLoaderModule TYPE_ constant - * @param int $level ResourceLoaderModule ORIGIN_ constant - */ - public function setAllowedModules( $type, $level ) { - wfDeprecated( __METHOD__, '1.24' ); - $this->reduceAllowedModuleOrigin( $level ); - } - - /** - * Limit the highest level of CSS/JS untrustworthiness allowed. - * - * @deprecated since 1.24 Module allowance is no longer fragmented by content type. - * Use reduceAllowedModuleOrigin() instead. + * Use reduceAllowedModules() instead * * @param string $type ResourceLoaderModule TYPE_ constant - * @param int $level ResourceLoaderModule ORIGIN_ class constant + * @param int $level ResourceLoaderModule class constant */ - public function reduceAllowedModules( $type, $level ) { + public function setAllowedModules( $type, $level ) { wfDeprecated( __METHOD__, '1.24' ); - $this->reduceAllowedModuleOrigin( $level ); + $this->reduceAllowedModules( $type, $level ); } /** @@ -1337,10 +1348,11 @@ class OutputPage extends ContextSource { * If passed the same or a higher level than the current level of untrustworthiness set, the * level will remain unchanged. * + * @param string $type * @param int $level ResourceLoaderModule class constant */ - public function reduceAllowedModuleOrigin( $level ) { - $this->mAllowedModuleOrigin = min( $this->mAllowedModuleOrigin, $level ); + public function reduceAllowedModules( $type, $level ) { + $this->mAllowedModules[$type] = min( $this->getAllowedModules( $type ), $level ); } /** |