[Bug 47480] New: Watching pages (AJAX) requires WriteAPI

Sun, 21 Apr 2013 12:51:55 -0700 

https://bugzilla.wikimedia.org/show_bug.cgi?id=47480

       Web browser: ---
            Bug ID: 47480
           Summary: Watching pages (AJAX) requires WriteAPI
           Product: MediaWiki
           Version: 1.20.4
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: Unprioritized
         Component: Watchlist
          Assignee: wikibugs-l@lists.wikimedia.org
          Reporter: patrickwesterh...@gmail.com
    Classification: Unclassified
   Mobile Platform: ---

The new† AJAX method of watching pages, implemented in
`/resources/mediawiki.page/mediawiki.page.watch.ajax.js`, makes uses of the MW
API methods for watching pages (http://www.mediawiki.org/wiki/API:Watch).

Unfortunately, this API method is part of the editing API and as such requires
`$wgEnableWriteAPI` to be enabled *and* the `writeapi` right.

As `$wgEnableWriteAPI` is enabled by default since 1.14, it’s somewhat safe to
assume that it is enabled. The `writeapi` right however should not be required
for a basic functionality such as watching pages.

On our wiki, we have the `writeapi` enabled for autoconfirmed users and above.
This is mainly to prevent vandals to create new users and then use the API to
quickly vandalize the wiki (yes, that has happened before).

Now with the new AJAX functionality, this implies that only autoconfirmed users
can watch pages. This is a terrible usability issue.

Watching pages, which is a very fundamental functionality for registered users,
should not be restricted by either the `writeapi` right, or even the
`$egEnableWriteAPI` setting. It makes perfect sense for wikis to disable the
write API altogether while still expecting users to be able to watch pages.

In a first step, I would argue why watching pages via the API even requires the
write API. Yes, it is a “changing” operation, but it should not be considered
an operation that changes wiki *content*. And it is restricted to the current
user anyway.

In a second step though, I think that such AJAX functionality should not make
use of the API at all, *if* said API can be disabled. Watching pages should use
a separate API which is not affected by the `$wgEnableWriteAPI` and
`$wgEnableAPI` setting.


† I actually have no idea when that was added; I have been stuck on a old MW
version for quite a while now.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to