https://bugzilla.wikimedia.org/show_bug.cgi?id=60407
--- Comment #4 from Chris Steipp <[email protected]> --- (In reply to comment #0) > In developing some test setup/teardown methods via the Mediawiki API, we have > noticed that en.wikipedia.beta.wmflabs.org (beta labs) always returns an > anonymous edit token, even following a successful login. This does not > happen > in other environments - in other environments, the edit API action is > authenticated as expected. > > Repro workflow: > > 1) Request login token: curl -c cookies.txt -X POST > 'http://en.wikipedia.beta.wmflabs.org/w/api. > php?action=login&format=json&lgname=<username>&lgpassword=<password>&lgtoken= > ' > > 2) Submit login token: curl -b cookies.txt -X POST > 'http://en.wikipedia.beta.wmflabs.org/w/api. > php?action=login&format=json&lgname=<username>&lgpassword=<password>&lgtoken= > <token > obtained in previous step>' Here, you need to keep writing new cookies into cookies.txt. If the account is global, you'll get a centralauth_Session cookie with your new session id. If the account is local only, the session id is changed on login to prevent session fixation. > > 3) Request edit token, reusing the same cookie obtained above: curl -b > cookies.txt -X POST > "http://en.wikipedia.beta.wmflabs.org/w/api. > php?action=tokens&type=edit&format=json" When I call this, returning the CentralAuth session cookie that I got on step #2, I get a valid user edit token. > > Response to step #3 is an anonymous edit token: > {"tokens":{"edittoken":"+\\"}} > > > In other environments, such as test2.wikipedia.org, the response in step #3 > is > something like the following, which is the expected behavior (a valid edit > token is returned): > {"tokens":{"edittoken":"5d75e6ca92d6de881921f068ebd7b695+\\"}} -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
