Last modified: 2006-10-25 08:33:36 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T9369, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 7369 - Allow "Show Changes" without requiring edit token.
Allow "Show Changes" without requiring edit token.
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Page editing (Other open bugs)
1.8.x
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-19 02:06 UTC by Nick Jenkins
Modified: 2006-10-25 08:33 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Untested patch (855 bytes, patch)
2006-10-25 07:57 UTC, Andrew Garrett 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Nick Jenkins 2006-09-19 02:06:48 UTC 
Currently an external site can POST data to MediaWiki to get a preview of a page
with modified wiki text.

However, currently you cannot perform a "Show Changes" on the exact same edit
without having the user's edit token. It would be nice to allow this, since
"Show Changes" is:
a) More efficient - up to a factor of 20 from
http://mail.wikipedia.org/pipermail/wikitech-l/2006-July/037315.html
b) More appropriate in some situations (such as an external tool which is
proposing possible cleanups or improvements to an article, and wants to clearly
highlight what's about to change).

The relevant function is EditPage::importFormData() from includes/EditPage.php ,
which also includes this text:
-------------------------------
   # Page might be a hack attempt posted from
   # an external site. Preview instead of saving.
-------------------------------
... it might also be a non-malicious show changes attempt posted from an
external site, which wants to show changes instead of saving :-) In which case
an "else if ($this->diff)" clause or similar could be useful for when the token
is not valid, but only a show changes was requested.
Comment 1 Andrew Garrett 2006-10-25 07:57:47 UTC 
Created attachment 2552 [details]
Untested patch

This patch should fix the issue. Please take a close look at it before
committing.
Comment 2 Nick Jenkins 2006-10-25 08:33:36 UTC 
Patch checked in as r17246
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links