Last modified: 2014-05-05 23:36:50 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T57846, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 55846 - Flow does not use the standard edit token


Summary:	Flow does not use the standard edit token

Status:	RESOLVED FIXED

Product:	MediaWiki extensions
Classification:	Unclassified
Component:	Flow (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Low normal (vote)
Target Milestone:	---
Assigned To:	Kunal Mehta (Legoktm)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-10-17 18:56 UTC by Kunal Mehta (Legoktm)
Modified:	2014-05-05 23:36 UTC (History)
CC List:	6 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Kunal Mehta (Legoktm) 2013-10-17 18:56:49 UTC

From Flow.php:

// Salt used to generate edit tokens for authenticating Flow actions
$wgFlowTokenSalt = 'flow';

From includes/api/ApiFlow.php:
        public function getTokenSalt() {
                global $wgFlowTokenSalt;
                return $wgFlowTokenSalt;
        }

Why is Flow using a non-standard token? What's the advantage to doing so?

It's a disadvantage to anyone using the API since they need to fetch another token, and in many cases they already have an edit token.

Comment 1 spage 2013-10-21 08:38:13 UTC

The WMF core features team tracks this bug on Mingle card https://mingle.corp.wikimedia.org/projects/flow/cards/334, but people from the community are welcome to contribute here and in Gerrit.

Comment 2 Kunal Mehta (Legoktm) 2014-01-29 01:21:59 UTC

In testing various stuff, I've observed that because Flow has to fetch the token, it's causing the overhead of at least one extra GET request for any action the user wishes to take.

I plan on fixing this bug once the API rewrite is done if there are no objections.

Comment 3 Erik Bernhardson 2014-01-29 04:17:30 UTC

i havn't heard any greatly compelling reason to have an independant token, greps through other extensions seem to indicate its not a widely used option.  Go for it.

Comment 4 Gerrit Notification Bot 2014-04-16 00:22:21 UTC

Change 126179 had a related patch set uploaded by Legoktm:
API: Use a standard edit token

https://gerrit.wikimedia.org/r/126179

Comment 5 Gerrit Notification Bot 2014-05-05 20:40:48 UTC

Change 126179 merged by jenkins-bot:
API: Use a standard edit token

https://gerrit.wikimedia.org/r/126179

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links