[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 --- Comment #14 from Platonides platoni...@gmail.com 2011-06-07 21:36:28 UTC --- (In reply to comment #10) I didn't suggest doing the javascript watch through the UI, I only refered to the token. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 Krinkle krinklem...@gmail.com changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||FIXED --- Comment #13 from Krinkle krinklem...@gmail.com 2011-06-06 00:33:17 UTC --- Fixed in r89545 -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 Krinkle krinklem...@gmail.com changed: What|Removed |Added Blocks|28425 | -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 --- Comment #10 from Krinkle krinklem...@gmail.com 2011-06-03 07:51:30 UTC --- (In reply to comment #8) Why was this fixed in reverse order? It should have been fixed first in html, then in javascript (which could then take advantage of the token in the url). I disagree about it being the reversed order. They are two distinct methods using different protocols and different tokens. One is through the API, which scripts and programs use. This is through a POST request with a standard token that can be retrieved from the API. The other is on-wiki through index.php. This is trough a GET request with a stronger token (on-wiki action links can only be GET and thus need a little stronger protection, I'm not sure if that is still the case, but that's the way we did it with patrol and rollback links in index.php, so it makes sense to that here as well). Both are independent and need to be fixed seperately. AFAIK the order doesn't matter. The reason the on-wiki javascript-watch button is using the token already and the html isn't, is because the javascript button is using the API (not index.php), so I adjusted it in advance (since the API watch-module was already done) and the javascript wouldn't be done differently if it were fixed the other way around (ie. index.php first and api.php later) -- In the past many gadgets ajaxified functions by making a ajax-request to the index.php url (which they scrapped from the page) and giving an OK message through dom-manipulation by checking the http response code or by digging through the HTML of the response. This isn't very clean and doesn't provide very complete or accurate response to the user, and one could argue whether this is efficient (as it would cause MediaWiki to render an entire page rather than just a simple request with a short JSON response, that is more machine readable and language/wiki independent). Therefor the ajax-watch was switched to using the API a while ago. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 --- Comment #11 from Liangent liang...@gmail.com 2011-06-03 14:54:58 UTC --- (In reply to comment #10) (In reply to comment #8) Why was this fixed in reverse order? It should have been fixed first in html, then in javascript (which could then take advantage of the token in the url). I disagree about it being the reversed order. They are two distinct methods using different protocols and different tokens. One is through the API, which scripts and programs use. This is through a POST request with a standard token that can be retrieved from the API. The other is on-wiki through index.php. This is trough a GET request with a stronger token (on-wiki action links can only be GET and thus need a little stronger protection, I'm not sure if that is still the case, but that's the way we did it with patrol and rollback links in index.php, so it makes sense to that here as well). Both are independent and need to be fixed seperately. AFAIK the order doesn't matter. The reason the on-wiki javascript-watch button is using the token already and the html isn't, is because the javascript button is using the API (not index.php), so I adjusted it in advance (since the API watch-module was already done) and the javascript wouldn't be done differently if it were fixed the other way around (ie. index.php first and api.php later) -- In the past many gadgets ajaxified functions by making a ajax-request to the index.php url (which they scrapped from the page) and giving an OK message through dom-manipulation by checking the http response code or by digging through the HTML of the response. This isn't very clean and doesn't provide very complete or accurate response to the user, and one could argue whether this is efficient (as it would cause MediaWiki to render an entire page rather than just a simple request with a short JSON response, that is more machine readable and language/wiki independent). Therefor the ajax-watch was switched to using the API a while ago. There is index.php?action=ajax but I don't know where we are using it. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 --- Comment #12 from Happy-melon happy.melon.w...@gmail.com 2011-06-03 15:36:35 UTC --- (In reply to comment #11) There is index.php?action=ajax but I don't know where we are using it. Hopefully nowhere, it's deprecated in favour of the API. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 Bryan Tong Minh bryan.tongm...@gmail.com changed: What|Removed |Added AssignedTo|bryan.tongm...@gmail.com|wikibugs-l@lists.wikimedia. ||org -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 Platonides platoni...@gmail.com changed: What|Removed |Added CC||platoni...@gmail.com --- Comment #8 from Platonides platoni...@gmail.com 2011-06-02 21:47:47 UTC --- Why was this fixed in reverse order? It should have been fixed first in html, then in javascript (which could then take advantage of the token in the url). -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 Bryan Tong Minh bryan.tongm...@gmail.com changed: What|Removed |Added CC||bryan.tongm...@gmail.com --- Comment #9 from Bryan Tong Minh bryan.tongm...@gmail.com 2011-06-02 21:54:43 UTC --- Should be assigned to somebody else, won't have time to fix this the coming two weeks. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 Mark A. Hershberger m...@everybody.org changed: What|Removed |Added CC||m...@everybody.org AssignedTo|wikibugs-l@lists.wikimedia. |roan.katt...@gmail.com |org | -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 Mark A. Hershberger m...@everybody.org changed: What|Removed |Added AssignedTo|roan.katt...@gmail.com |bryan.tongm...@gmail.com -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 Krinkle krinklem...@gmail.com changed: What|Removed |Added Blocks||23227 Summary|Add token to action=watch |Require token for ||watching/unwatching pages -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 Krinkle krinklem...@gmail.com changed: What|Removed |Added Blocks|23227 | -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 Bug 27655 depends on bug 29067, which changed state. Bug 29067 Summary: Expose user.tokens like we do user.options in ResourceLoader https://bugzilla.wikimedia.org/show_bug.cgi?id=29067 What|Old Value |New Value Status|NEW |RESOLVED Resolution||FIXED -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 Bug 27655 depends on bug 29070, which changed state. Bug 29070 Summary: Add token to action=watch https://bugzilla.wikimedia.org/show_bug.cgi?id=29070 What|Old Value |New Value Status|NEW |RESOLVED Resolution||FIXED -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 Krinkle krinklem...@gmail.com changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Comment #6 from Krinkle krinklem...@gmail.com 2011-05-21 23:15:05 UTC --- * Clean up in r88511. * Switching to POST (since that's what the API needs now (bug 29070, r88522) and adding error handling in r88527. * Passing token parameter in r88554 (via mw.user.tokens, introduced in r88553); Fixed! -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 27655] Require token for watching/unwatching pages
https://bugzilla.wikimedia.org/show_bug.cgi?id=27655 Krinkle krinklem...@gmail.com changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|FIXED | --- Comment #7 from Krinkle krinklem...@gmail.com 2011-05-21 23:20:30 UTC --- API users and users on the wiki using the AJAX-button are covered. Looks like we haven't patched index.php?action=(un)watch yet though. The security problem is still there. Reopening.. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l