Merge "HTMLFormField: Adjust isSubmitAttempt and add more comments"

2 files changed, 6 insertions, 3 deletions

diff --git a/includes/htmlform/HTMLFormField.php b/includes/htmlform/HTMLFormField.php
index ae4bf0da0152..01a6ac1e45e1 100644
--- a/includes/htmlform/HTMLFormField.php
+++ b/includes/htmlform/HTMLFormField.php
@@ -457,15 +457,17 @@ abstract class HTMLFormField {
 	 * Can we assume that the request is an attempt to submit a HTMLForm, as opposed to an attempt to
 	 * just view it? This can't normally be distinguished for e.g. checkboxes.
 	 *
-	 * Returns true if the request was posted, or has a field for a CSRF token (wpEditToken) or a form
-	 * identifier (wpFormIdentifier).
+	 * Returns true if the request was posted and has a field for a CSRF token (wpEditToken), or
+	 * has a form identifier (wpFormIdentifier).
 	 *
 	 * @todo Consider moving this to HTMLForm?
 	 * @param WebRequest $request
 	 * @return bool
 	 */
 	protected function isSubmitAttempt( WebRequest $request ) {
-		return $request->wasPosted() || $request->getCheck( 'wpEditToken' )
+		// HTMLForm would add a hidden field of edit token for forms that require to be posted.
+		return $request->wasPosted() && $request->getCheck( 'wpEditToken' )
+			// The identifier matching or not has been checked in HTMLForm::prepareForm()
 			|| $request->getCheck( 'wpFormIdentifier' );
 	}
 
diff --git a/tests/phpunit/includes/htmlform/HTMLFormFieldTest.php b/tests/phpunit/includes/htmlform/HTMLFormFieldTest.php
index c89884fbdb7f..73412e4c578b 100644
--- a/tests/phpunit/includes/htmlform/HTMLFormFieldTest.php
+++ b/tests/phpunit/includes/htmlform/HTMLFormFieldTest.php
@@ -10,6 +10,7 @@ class HTMLFormFieldTest extends PHPUnit\Framework\TestCase {
 	use MediaWikiCoversValidator;
 
 	public function getNewForm( $descriptor, $requestData ) {
+		$requestData += [ 'wpEditToken' => 'ABC123' ];
 		$request = new FauxRequest( $requestData, true );
 		$context = new DerivativeContext( RequestContext::getMain() );
 		$context->setRequest( $request );