Last modified: 2014-10-06 06:58:12 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T43956, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 41956 - Document how to implement tokens in (extension) api modules
Document how to implement tokens in (extension) api modules
Product: MediaWiki
Classification: Unclassified
API (Other open bugs)
All All
: Normal normal (vote)
: ---
Assigned To: Brad Jorsch
Depends on:
Blocks: documentation
  Show dependency treegraph
Reported: 2012-11-10 04:53 UTC by Niklas Laxström
Modified: 2014-10-06 06:58 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Niklas Laxström 2012-11-10 04:53:10 UTC
Currently I'm using code like this:
// Before MW 1.20
$wgHooks['ApiTokensGetTokenTypes'][] = 'ApiTranslationReview::injectTokenFunction';
// After MW 1.20
$wgHooks['APIQueryInfoTokens'][] = 'ApiTranslationReview::injectTokenFunction';

	public static function getToken() {
		global $wgUser;
		if ( !$wgUser->isAllowed( self::$right ) ) {
			return false;

		return $wgUser->getEditToken( self::$salt );

	public static function injectTokenFunction( &$list ) {
		$list['translationreview'] = array( __CLASS__, 'getToken' );
		return true; // Hooks must return bool

However, I'd like to get rid of the global wgUser. Please document the best way to implement tokens for version 1.19 and above.
Comment 1 Brad Jorsch 2012-11-13 17:14:02 UTC
That's probably the best way at the moment. All the core token-getting functions seem to use $wgUser, too.
Comment 2 Brad Jorsch 2014-09-16 21:16:27 UTC
Since Gerrit change #153110, things have gotten much simpler. Now most API modules will just implement ApiBase::needsToken

  public function needsToken() {
      return 'csrf';

Using custom salts is discouraged, but if necessary is accomplished using the 'ApiQueryTokensRegisterTypes' hook:

  $wgHooks['ApiQueryTokensRegisterTypes'][] = function ( &$salts ) {
      $salts['mytokentype'] = 'salt';
      return true;

(then needsToken() would return 'mytokentype' instead of 'csrf')
Comment 3 Niklas Laxström 2014-09-17 09:22:52 UTC
Wonderful. Can someone make sure this ends up in a some wiki page which extension developers can easily find?
Comment 4 Nemo 2014-10-06 06:58:12 UTC
Assigning to Brad as patch author and only person knowing about the feature.

Note You need to log in before you can comment on or make changes to this bug.