r88522 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r88521‎ \| r88522 \| r88523 >
Date:	16:38, 21 May 2011
Author:	reedy
Status:	ok (Comments)
Tags:
Comment:	* (bug 29070) Add token to action=watch
Modified paths:	/trunk/phase3/RELEASE-NOTES-1.19 (modified) (history) /trunk/phase3/includes/api/ApiQueryInfo.php (modified) (history) /trunk/phase3/includes/api/ApiWatch.php (modified) (history)

Diff [purge]

Index: trunk/phase3/RELEASE-NOTES-1.19
—	—	@@ -83,6 +83,7 @@
84	84	* (bug 28578) API's parse module should not silently override invalid
85	85	title inputs
86	86	* (bug 20699) API watchlist should list log-events
	87	+* (bug 29070) Add token to action=watch
87	88
88	89	=== Languages updated in 1.19 ===
89	90
Index: trunk/phase3/includes/api/ApiQueryInfo.php
—	—	@@ -98,6 +98,7 @@
99	99	'unblock' => array( 'ApiQueryInfo', 'getUnblockToken' ),
100	100	'email' => array( 'ApiQueryInfo', 'getEmailToken' ),
101	101	'import' => array( 'ApiQueryInfo', 'getImportToken' ),
	102	+ 'watch' => array( 'ApiQueryInfo', 'getWatchToken'),
102	103	);
103	104	wfRunHooks( 'APIQueryInfoTokens', array( &$this->tokenFunctions ) );
104	105	return $this->tokenFunctions;
—	—	@@ -217,6 +218,21 @@
218	219	return $cachedImportToken;
219	220	}
220	221
	222	+ public static function getWatchToken( $pageid, $title ) {
	223	+ global $wgUser;
	224	+ if ( !$wgUser->isLoggedIn() ) {
	225	+ return false;
	226	+ }
	227	+
	228	+ static $cachedWatchToken = null;
	229	+ if ( !is_null( $cachedWatchToken ) ) {
	230	+ return $cachedWatchToken;
	231	+ }
	232	+
	233	+ $cachedWatchToken = $wgUser->editToken( 'watch' );
	234	+ return $cachedWatchToken;
	235	+ }
	236	+
221	237	public function execute() {
222	238	$this->params = $this->extractRequestParams();
223	239	if ( !is_null( $this->params['prop'] ) ) {
Index: trunk/phase3/includes/api/ApiWatch.php
—	—	@@ -71,18 +71,30 @@
72	72	$this->getResult()->addValue( null, $this->getModuleName(), $res );
73	73	}
74	74
	75	+ public function mustBePosted() {
	76	+ return true;
	77	+ }
	78	+
75	79	public function isWriteMode() {
76	80	return true;
77	81	}
78	82
	83	+ public function needsToken() {
	84	+ return true;
	85	+ }
	86	+
	87	+ public function getTokenSalt() {
	88	+ return 'watch';
	89	+ }
	90	+
79	91	public function getAllowedParams() {
80	92	return array(
81	93	'title' => array(
82	94	ApiBase::PARAM_TYPE => 'string',
83	95	ApiBase::PARAM_REQUIRED => true
84	96	),
85		-
86	97	'unwatch' => false,
	98	+ 'token' => null,
87	99	);
88	100	}
89	101
—	—	@@ -90,6 +102,7 @@
91	103	return array(
92	104	'title' => 'The page to (un)watch',
93	105	'unwatch' => 'If set the page will be unwatched rather than watched',
	106	+ 'token' => 'A token previously acquired via prop=info',
94	107	);
95	108	}
96	109

Follow-up revisions

Revision	Commit summary	Author	Date
r88527	Fixing mediawiki.action.watch.ajax...	krinkle	18:33, 21 May 2011
r88554	Passing token paremeter in mw.action.watch.ajax since this is required as of ...	krinkle	23:14, 21 May 2011
r89545	WatchAction requires token (BREAKING CHANGE)...	krinkle	00:09, 6 June 2011

Comments

#Comment by Duplicatebug (talk | contribs) 17:25, 24 May 2011

Why not using the watchlisttoken from the Preferences, which is used for feeds and so on?

#Comment by Catrope (talk | contribs) 15:58, 2 June 2011

That's different. The watchlist token is used for authentication, the watch token is used to prevent CSRF.

Status & tagging log

15:58, 2 June 2011 Catrope (talk | contribs) changed the status of r88522 [removed: new added: ok]