User "Catrope" changed the status of MediaWiki.r89545. Old Status: new New Status: resolved
Full URL: https://secure.wikimedia.org/wikipedia/mediawiki/wiki/Special:Code/MediaWiki/89545#c0 Commit summary: WatchAction requires token (BREAKING CHANGE) * (bug 27655) Require token for watching/unwatching pages * Previously done for API (bug 29070) in r88522 * As with markpatrolled, the tokens are not compatible and made that way on purpose. The API requires the POST method and uses a universal token per-session. Since the front-end is all GET based (also per convention like in markpatrolled and rollback) they are stronger salted (title / action specific) * ajax.watch used the API already and was switched in r88554. * The actual watching/unwatching code was moved from WatchAction->onView to WatchAction::doWatch. This was done to allow the API to do the action without needing to generate a token like the front-end needs (or having to duplicate code). It is now similar to RecentChange::markPatrolled (in that it also a "central" function that does not care about tokens, it's called after the token-handling) * JavaScript / Gadgets that utilize action=watch in their scripts: ** Effects should be minimal as they should be using the API (see r88522 and wikitech-l) ** If they use index.php and scrap the link from the page, they can continue to do so. * There are links to the watch action all over the place. I've tried to catch most of them, but there may be some I miss. Migration in most cases is just a matter of adding an array item to the $query for: 'token' => WatchAction::getWatchToken( $title, $user [, $action] ) or changing: Action::factory( 'watch', $article )->execute(); to: WatchAction::doWatch( $title, $user ); While replacing the usages in some cases an instance of Article() no longer had to be created, in others $wgUser had to be retrieved from global (which was implied before but needs to be given directly now) Other notes: * Article->unwatch() and Article->watch(), which were deprecated as of 1.18 and are no longer used in core, may be broken in scenarios where the Request does not have a 'token' but is making a call to $article->watch() * Some extensions need to be fixed, I'm currently running a grep search and will fix them a.s.a.p [1] http://www.mediawiki.org/wiki/ResourceLoader/Default_modules?mw.user#tokens _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
