Add extra security check to Echo API to prevent vandalism

1. Only trigger mark as read if the unread notification count is > 0
1. Add a limit to the number of notification that can be marked as read
2. Only update those records with read_timestamp = null

Change-Id: I12456c504787f45f594ef9283e98d98692956935
This commit is contained in:
bsitu 2013-05-03 17:46:30 -07:00
parent 9e2b948b66
commit c130197682
2 changed files with 10 additions and 4 deletions

View file

@ -12,10 +12,15 @@ class ApiEchoNotifications extends ApiQueryBase {
}
$params = $this->extractRequestParams();
if ( count( $params['markread'] ) ) {
EchoNotificationController::markRead( $user, $params['markread'] );
} elseif ( $params['markallread'] ) {
EchoNotificationController::markAllRead( $user );
// There is no need to trigger markRead if all notifications are read
if ( EchoNotificationController::getNotificationCount( $user ) > 0 ) {
if ( count( $params['markread'] ) ) {
// Make sure there is a limit to the update
EchoNotificationController::markRead( $user, array_slice( $params['markread'], 0, ApiBase::LIMIT_SML2 ) );
} elseif ( $params['markallread'] ) {
EchoNotificationController::markAllRead( $user );
}
}
$prop = $params['prop'];

View file

@ -229,6 +229,7 @@ class MWDbEchoBackend extends MWEchoBackend {
array(
'notification_user' => $user->getId(),
'notification_event' => $eventIDs,
'notification_read_timestamp' => null,
),
__METHOD__
);