Last modified: 2008-10-27 19:26:31 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T11532, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 9532 - Allow creation of the EditToken through JavaScript
Allow creation of the EditToken through JavaScript
Status: RESOLVED WORKSFORME
Product: MediaWiki
Classification: Unclassified
Page editing (Other open bugs)
unspecified
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-08 20:41 UTC by Nux
Modified: 2008-10-27 19:26 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Nux 2007-04-08 20:41:33 UTC
I'd like to know if it would be possible to have the edit token available on any
page (not only when editing)? I know I could probably get this through AJAX
scripting but that's the the best way I think.

On Polish Wikipedia we have a script for reporting bugs and it currently uses
the Tool Server and a bot to add reports. If the edit token would be available,
the form created through JS could simply add a new section (submitting changes
with one click) and the bot would be used only to pass info about these changes
to an IRC channel (as it does now).
Comment 1 Rob Church 2007-04-08 20:50:07 UTC
This would likely interfere with caching, and would harm our ability to change
the token on the fly (automatic regeneration) and have things still work.
Comment 2 Platonides 2007-04-08 20:54:37 UTC
I recently had a similar needing. I did a 'fastdelete' script, avoiding to
confirm the deletion.
http://es.wikipedia.org/wiki/Usuario:Platonides/fastdelete.js

To have the EditToken available, it rememberes it (the edittoken is the same for
the session) at edits/deletes, on a cookie
http://es.wikipedia.org/wiki/Usuario:Platonides/StoreSettings.js
Comment 3 Nux 2007-04-08 21:01:37 UTC
(In reply to comment #1)
> This would likely interfere with caching, and would harm our ability to change
> the token on the fly (automatic regeneration) and have things still work.

Caching - why? I thought it was generated once during each session.
Comment 4 Rob Church 2007-04-09 12:40:10 UTC
(In reply to comment #3)
> Caching - why? I thought it was generated once during each session.

As I said in comment 1, we might like to alter things so tokens are regenerated
more often. Tokens for different operations are also salted, and so can vary
according to the operation in question. Your browser will attempt to cache the
page, including the script.

The whole point of an edit token is to help prevent malicious form submission
hijacking; I'm not convinced that providing an edit token on every page via
JavaScript wouldn't partly defeat the purpose of it.

Comment 5 Platonides 2007-04-09 13:35:56 UTC
Just to document it:
The only token which is currently different is the rollback one, which is hashed
with the user you're reverting.

The editToken is also unrelated to the ___Token cookie, used for login.
Comment 6 Rob Church 2007-06-06 03:23:13 UTC
(In reply to comment #5)
> The only token which is currently different is the rollback one, which is hashed
> with the user you're reverting.

That is incorrect.
Comment 7 Roan Kattouw 2008-10-27 11:30:13 UTC
Resolving as WORKSFORME. The edit token can be obtained from the API using AJAX, or scraped from the hidden form field if you happen to be on the edit form.

API URL: http://en.wikipedia.org/w/api.php?action=query&titles=Main_Page&prop=info&intoken=edit
(append &format=whatever to get a different format; for help, see http://en.wikipedia.org/w/api.php )
Comment 8 Jesse (Pathoschild) 2008-10-27 19:26:31 UTC
(See [[Wikipedia:WikiProject_User_scripts/Guide/Ajax]] for a tutorial on doing so with JavaScript.)

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links