---------- Forwarded message ---------- From: Krinkle <krinklem...@gmail.com> Date: Mon, Jun 6, 2011 at 3:08 AM Subject: [Wikitech-l] BREAKING CHANGE: action=watch now requires token (and API requires token and POST) To: MediaWiki announcements and site admin list <mediawik...@lists.wikimedia.org>, Wikimedia developers <wikitec...@lists.wikimedia.org>
Hi all, As of MediaWiki 1.19 the action of watching or unwatching a page requires a token [1]. A similar measure was taken during the development of 1.17 for the markpatrolled action, and the reason is the same: To prevent third-party sites from executing write actions without the users' permission. The ApiWatch module must be posted and given a token. As with other edittoken-based api actions, the token is salted but stays the same throughout a session. Scripts may retrieve this token, as usual, through the ApiQueryInfo (must be logged in, anon users don't have action-watch) [4] On a sidenote, recently the the mw.user.tokens resourceloader module [8] has been created [9]. This, together with the mw.user.options module introduced in 1.17, gadgets can do advanced actions without polling the API for common data. If you script is ran from a wiki, you can get the tokens from [5] this Map without an http request to the query info module. An example has been made in the mediawiki.action.watch.ajax module [6]. This (un)watches through the API. The actual change in the WatchAction class was made in r89545 [3]. The ApiWatch module was changed in r88522 [7]. -- Krinkle [1] https://bugzilla.wikimedia.org/27655 Require token for (un)watching pages [2] https://bugzilla.wikimedia.org/29070 Add token to action=watch API [3] http://www.mediawiki.org/wiki/Special:Code/MediaWiki/89545 [4] http://yourdomain/w/api.php?action=query&prop=info&titles=Main+Page&intoken=watch [5] http://www.mediawiki.org/wiki/ResourceLoader/Default_modules#tokens [6] http://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3/resources/mediawiki.action/mediawiki.action.watch.ajax.js?view=markup&pathrev=88554#l117 [7] http://www.mediawiki.org/wiki/Special:Code/MediaWiki/88522 [8] https://bugzilla.wikimedia.org/29067 Expose user.tokens like we do user.options in ResourceLoader [9] http://www.mediawiki.org/wiki/Special:Code/MediaWiki/88553 _______________________________________________ Wikitech-l mailing list wikitec...@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Mediawiki-api-announce mailing list mediawiki-api-annou...@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce _______________________________________________ Mediawiki-api mailing list Mediawiki-api@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
