When $wgUseAjax is false, the watch link on a page computes a token using WatchAction:getWatchToken(). The $salt used to create the token uses $title->getPrefixedDBkey();
When you follow the link, WatchAction:show() calls $user->matchEditToken() to validate the token passed, but show() uses $this->getTitle()->getDBkey() for its $salt.
getPrefixedDBKey() and getDBKey() are not the same, so the token fails to validate, and you can't watch or unwatch pages.
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| Match salt of WatchAction::show() and getWatchToken() | mediawiki/core | master | +1 -1 |
Here's a patch with the fix I'm using in MW 1.24, I think it should still apply cleanly to HEAD
Thanks for taking a look at the code!
You are very welcome to use developer access to submit this as a Git branch directly into Gerrit.
Putting your branch in Git makes it easier to review it quickly. If you don't want to set up Git/Gerrit, you can also use the Gerrit Patch Uploader. Thanks again!
Oh, sweet, I didn't know I could set up my own branches as just a random guy off the street :) I'll get this into Gerrit tonight or tomorrow.
Tomorrow finally came! Here's the commit in Gerrit: https://gerrit.wikimedia.org/r/228774 (though I suspect it will eventually appear here on it's own?)
Only when following https://www.mediawiki.org/wiki/Gerrit/Commit_message_guidelines :)
D'oh :( That did not jump out at me on https://www.mediawiki.org/wiki/Git/Tutorial, though it is linked out, sorry!
Change 228774 had a related patch set uploaded (by Nemo bis):
Match salt of WatchAction::show() and getWatchToken()
Change 228774 merged by jenkins-bot:
Match salt of WatchAction::show() and getWatchToken()