Last modified: 2014-10-06 06:58:12 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 41956 - Document how to implement tokens in (extension) api modules
Document how to implement tokens in (extension) api modules
Product: MediaWiki
Classification: Unclassified
API (Other open bugs)
All All
: Normal normal (vote)
: ---
Assigned To: Brad Jorsch
Depends on:
Blocks: documentation
  Show dependency treegraph
Reported: 2012-11-10 04:53 UTC by Niklas Laxström
Modified: 2014-10-06 06:58 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Niklas Laxström 2012-11-10 04:53:10 UTC
Currently I'm using code like this:
// Before MW 1.20
$wgHooks['ApiTokensGetTokenTypes'][] = 'ApiTranslationReview::injectTokenFunction';
// After MW 1.20
$wgHooks['APIQueryInfoTokens'][] = 'ApiTranslationReview::injectTokenFunction';

	public static function getToken() {
		global $wgUser;
		if ( !$wgUser->isAllowed( self::$right ) ) {
			return false;

		return $wgUser->getEditToken( self::$salt );

	public static function injectTokenFunction( &$list ) {
		$list['translationreview'] = array( __CLASS__, 'getToken' );
		return true; // Hooks must return bool

However, I'd like to get rid of the global wgUser. Please document the best way to implement tokens for version 1.19 and above.
Comment 1 Brad Jorsch 2012-11-13 17:14:02 UTC
That's probably the best way at the moment. All the core token-getting functions seem to use $wgUser, too.
Comment 2 Brad Jorsch 2014-09-16 21:16:27 UTC
Since Gerrit change #153110, things have gotten much simpler. Now most API modules will just implement ApiBase::needsToken

  public function needsToken() {
      return 'csrf';

Using custom salts is discouraged, but if necessary is accomplished using the 'ApiQueryTokensRegisterTypes' hook:

  $wgHooks['ApiQueryTokensRegisterTypes'][] = function ( &$salts ) {
      $salts['mytokentype'] = 'salt';
      return true;

(then needsToken() would return 'mytokentype' instead of 'csrf')
Comment 3 Niklas Laxström 2014-09-17 09:22:52 UTC
Wonderful. Can someone make sure this ends up in a some wiki page which extension developers can easily find?
Comment 4 Nemo 2014-10-06 06:58:12 UTC
Assigning to Brad as patch author and only person knowing about the feature.

Note You need to log in before you can comment on or make changes to this bug.