[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 --- Comment #16 from Neil Kandalgaonkar ne...@wikimedia.org 2011-09-12 18:00:20 UTC --- Yes, anything that modifies server state should be a POST. To be more precise; any GET request ought to be repeated any number of times and get the same result. http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html You can make exceptions but only if there's absolutely no other way to achieve your needed functionality. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 Jeroen De Dauw jeroen_ded...@yahoo.com changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution||FIXED --- Comment #15 from Jeroen De Dauw jeroen_ded...@yahoo.com 2011-09-08 15:17:41 UTC --- Fixed by r96575. Now doing post call to API. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 Jeroen De Dauw jeroen_ded...@yahoo.com changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|FIXED | --- Comment #14 from Jeroen De Dauw jeroen_ded...@yahoo.com 2011-09-07 19:39:25 UTC --- Ok, will implement the POST stuff soonish. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 Jeroen De Dauw jeroen_ded...@yahoo.com changed: What|Removed |Added Status|REOPENED|ASSIGNED -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 Roan Kattouw roan.katt...@gmail.com changed: What|Removed |Added CC||roan.katt...@gmail.com --- Comment #12 from Roan Kattouw roan.katt...@gmail.com 2011-09-02 14:15:40 UTC --- Salted tokens are supported in the API, see ApiRollback.php in core. There is a general paradigm that GET requests should not be able to change things; deletions and creations and such should always use POST. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 --- Comment #13 from Jeroen De Dauw jeroen_ded...@yahoo.com 2011-09-02 15:28:00 UTC --- Salted tokens are supported in the API, see ApiRollback.php in core. I guess I made some wrong assumptions there. Awesome! :) There is a general paradigm that GET requests should not be able to change things; deletions and creations and such should always use POST. Sure, will do that in the future. Worth changing here though? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 Jeroen De Dauw jeroen_ded...@yahoo.com changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||FIXED --- Comment #9 from Jeroen De Dauw jeroen_ded...@yahoo.com 2011-09-01 14:08:21 UTC --- I put in the id and name as salt in r95976 -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 --- Comment #10 from Platonides platoni...@gmail.com 2011-09-01 16:19:01 UTC --- I put in the id and name as salt in r95976 Looks good. These can still be obtained by third party when not using SSL or other encryption right? Yes, but we are not trying to protect from a complete sniffing. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 --- Comment #11 from Jeroen De Dauw jeroen_ded...@yahoo.com 2011-09-01 18:13:38 UTC --- Well, in that case I'd also not consider having the param in GET a problem. The difference between the two is just some effort, not real security. I just tried to have such a dynamic hash for the token of an API module, and apparently this is not supported. If it's good enough for the API, why would it not be for some UI? Or am I wrong and can you salt tokens used in the API with some variables? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 Jeroen De Dauw jeroen_ded...@yahoo.com changed: What|Removed |Added AssignedTo|wikibugs-l@lists.wikimedia. |jeroen_ded...@yahoo.com |org | -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 Jeroen De Dauw jeroen_ded...@yahoo.com changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution||FIXED --- Comment #2 from Jeroen De Dauw jeroen_ded...@yahoo.com 2011-08-31 16:15:22 UTC --- Fixed by r95880. Not sure this is the best way to deal with it though, if there is a better one, please enlighten me :) -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 Platonides platoni...@gmail.com changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|FIXED | --- Comment #3 from Platonides platoni...@gmail.com 2011-08-31 22:15:03 UTC --- Two problems with that revision: - First, you are using the plain, unsalted edit token in the url. This discloses the secret in eg. proxy logs. We always salt the tokens with the modified data in such cases so that once consumed they can't be reused (but see below). - Second, it is still deleting on visiting the page. The main risk is fixed, but what would happen if a sysop presses delete when he wanted to press edit? I think that pressing delete should lead you to an intermediate page, where you should press a button to actually delete the campaign (just as anonymous purge or normal deletion). Linking with bug 30645, it could be a copy of the usual deletion interface, logging a deletion comment and storing the last data in the log. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 --- Comment #4 from Jeroen De Dauw jeroen_ded...@yahoo.com 2011-08-31 22:31:35 UTC --- what would happen if a sysop presses delete when he wanted to press edit? There is a confirmation dialogue. That ofc won't work w/ JS disabled, but then you are sort of shooting yourself in the foot IMO. I think that pressing delete should lead you to an intermediate page An intermediate page would definitely make sense when there is something more happening then a simple delete (ie for providing a deletion reason as you suggest). We always salt the tokens with the modified data in such cases so that once consumed they can't be reused. Is there documentation on this? I'm not sure how to proceed. What data should I use as salt? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 --- Comment #5 from Platonides platoni...@gmail.com 2011-08-31 22:57:25 UTC --- what would happen if a sysop presses delete when he wanted to press edit? There is a confirmation dialogue. That ofc won't work w/ JS disabled, but then you are sort of shooting yourself in the foot IMO. Good. It wasn't there yesterday :) I think that pressing delete should lead you to an intermediate page An intermediate page would definitely make sense when there is something more happening then a simple delete (ie for providing a deletion reason as you suggest). It would be the right solution (semantic reasons, no javascript dependency...). We always salt the tokens with the modified data in such cases so that once consumed they can't be reused. Is there documentation on this? I'm not sure how to proceed. What data should I use as salt? Maybe not. I remember I had this same talk with someone in CR. There may be more info there. You can have a look at how rollback or patrolling links are made. Just pass the dependent data as a parameter to $wgUser-editToken(). In this case I would pass $campaign-campaign_name. There's not much to put there in this case, although it has the weakness that if someone recreated the campaign, the old token would still be able to delete it. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 --- Comment #6 from Jeroen De Dauw jeroen_ded...@yahoo.com 2011-08-31 23:11:03 UTC --- Good. It wasn't there yesterday :) The dialogue has been there since I created the deletion link. It would be the right solution (semantic reasons, no javascript dependency...). This makes me wonder what do do for an interface similar to what we have now, but where deletions are made via HTTP request to the API, after getting a dialogue (which also allows entering data such as deletion reason). I think such an approach is more user friendly then having a separate page. In this case I would pass $campaign-campaign_name. There's not much to put there in this case, although it has the weakness that if someone recreated the campaign, the old token would still be able to delete it. Right, since this is just deleting, we're getting of rather easily. Just adding a campaign constant, the campaign name, and the campaign id should yield something unique. But what to do for edit actions, ie for a API module that allows modifying one or more settings of an upload campaign (if there was such a module)? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 --- Comment #7 from Platonides platoni...@gmail.com 2011-08-31 23:30:06 UTC --- Good. It wasn't there yesterday :) The dialogue has been there since I created the deletion link. No. It didn't prevent me from removing a campaign yesterday when I followed it (naively expecting to see a confirmation form). But what to do for edit actions, ie for a API module that allows modifying one or more settings of an upload campaign (if there was such a module)? Not using GET? If you are using AJAX you pass the parameters in the body of the request. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 --- Comment #8 from Jeroen De Dauw jeroen_ded...@yahoo.com 2011-08-31 23:50:17 UTC --- If you are using AJAX you pass the parameters in the body of the request. These can still be obtained by third party when not using SSL or other encryption right? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 Mark A. Hershberger m...@everybody.org changed: What|Removed |Added Priority|Unprioritized |Normal CC||m...@everybody.org -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 30644] UploadWizard campaigns are deleted on GET
https://bugzilla.wikimedia.org/show_bug.cgi?id=30644 MZMcBride b...@mzmcbride.com changed: What|Removed |Added CC||b...@mzmcbride.com Summary|Campaigns are deleted on|UploadWizard campaigns are |GET |deleted on GET -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
