Page MenuHomePhabricator

WatchAction breaks when $wgUseAjax = false;
Closed, ResolvedPublic


When $wgUseAjax is false, the watch link on a page computes a token using WatchAction:getWatchToken(). The $salt used to create the token uses $title->getPrefixedDBkey();

When you follow the link, WatchAction:show() calls $user->matchEditToken() to validate the token passed, but show() uses $this->getTitle()->getDBkey() for its $salt.

getPrefixedDBKey() and getDBKey() are not the same, so the token fails to validate, and you can't watch or unwatch pages.

Event Timeline

Firebus raised the priority of this task from to Needs Triage.
Firebus updated the task description. (Show Details)
Firebus added a project: MediaWiki-Watchlist.
Firebus added a subscriber: Firebus.

Here's a patch with the fix I'm using in MW 1.24, I think it should still apply cleanly to HEAD

Thanks for taking a look at the code!

You are very welcome to use developer access to submit this as a Git branch directly into Gerrit.

Putting your branch in Git makes it easier to review it quickly. If you don't want to set up Git/Gerrit, you can also use the Gerrit Patch Uploader. Thanks again!

Aklapper triaged this task as Medium priority.Jul 25 2015, 1:00 PM

Oh, sweet, I didn't know I could set up my own branches as just a random guy off the street :) I'll get this into Gerrit tonight or tomorrow.

Tomorrow finally came! Here's the commit in Gerrit: (though I suspect it will eventually appear here on it's own?)

(though I suspect it will eventually appear here on it's own?)

Only when following :)

D'oh :( That did not jump out at me on, though it is linked out, sorry!

Change 228774 had a related patch set uploaded (by Nemo bis):
Match salt of WatchAction::show() and getWatchToken()

Change 228774 merged by jenkins-bot:
Match salt of WatchAction::show() and getWatchToken()

Legoktm assigned this task to Firebus.
Legoktm set Security to None.