Last modified: 2011-06-24 17:14:07 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T31070, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 29070 - Require a token in API action=watch
Require a token in API action=watch
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
API (Other open bugs)
1.18.x
All All
: High normal (vote)
: ---
Assigned To: Roan Kattouw
:
Depends on:
Blocks: 27655
  Show dependency treegraph
 
Reported: 2011-05-21 10:42 UTC by Krinkle
Modified: 2011-06-24 17:14 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Krinkle 2011-05-21 10:42:26 UTC 
Aside from the front-end (bug 27655) the API needs to require a token as well.
Comment 1 Bryan Tong Minh 2011-05-21 13:48:07 UTC 
Please note that the token should be salted to prevent edit token leakage.
Comment 2 Krinkle 2011-05-21 14:38:34 UTC 
markpatrolled requires a POST. I think it would make sense to require this for watching as well.

On the other hand, with markpatrolled we ended up with a token that is not compatible between index.php and api.php (presumably becuase index.php should not be POST for common actions and thus got an extra salt layer). Gadgets that attempted to use the API to mark stuff as patrolled first have to make an API request to get the token, the one already on the page was not compatible.

If we could it would be great if the tokens would be the same to avoid doing the same as we did with markpatrolled. However this may have been done on purpose. I guess once bug 29067 is fixed, we don't have to worry about that anymore since gadgets could just get their tokens from there.
Comment 3 Sam Reed (reedy) 2011-05-21 16:39:00 UTC 
r88522, done?
Comment 4 Krinkle 2011-05-21 23:06:32 UTC 
Yeah, works nice :)
Comment 5 Bryan Tong Minh 2011-05-22 08:27:14 UTC 
Breaking change, needs announce mail.
Comment 6 Krinkle 2011-05-22 08:33:02 UTC 
I suggest waiting until bug 27655 is fixed as well.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links