Page MenuHomePhabricator

WatchAction breaks when $wgUseAjax = false;
Closed, ResolvedPublic

Description

When $wgUseAjax is false, the watch link on a page computes a token using WatchAction:getWatchToken(). The $salt used to create the token uses $title->getPrefixedDBkey();

When you follow the link, WatchAction:show() calls $user->matchEditToken() to validate the token passed, but show() uses $this->getTitle()->getDBkey() for its $salt.

getPrefixedDBKey() and getDBKey() are not the same, so the token fails to validate, and you can't watch or unwatch pages.

Event Timeline

Firebus raised the priority of this task from to Needs Triage.
Firebus updated the task description. (Show Details)
Firebus added a project: MediaWiki-Watchlist.
Firebus added a subscriber: Firebus.

Here's a patch with the fix I'm using in MW 1.24, I think it should still apply cleanly to HEAD

Thanks for taking a look at the code!

You are very welcome to use developer access to submit this as a Git branch directly into Gerrit.

Putting your branch in Git makes it easier to review it quickly. If you don't want to set up Git/Gerrit, you can also use the Gerrit Patch Uploader. Thanks again!

Aklapper triaged this task as Medium priority.Jul 25 2015, 1:00 PM

Oh, sweet, I didn't know I could set up my own branches as just a random guy off the street :) I'll get this into Gerrit tonight or tomorrow.

Tomorrow finally came! Here's the commit in Gerrit: https://gerrit.wikimedia.org/r/228774 (though I suspect it will eventually appear here on it's own?)

(though I suspect it will eventually appear here on it's own?)

Only when following https://www.mediawiki.org/wiki/Gerrit/Commit_message_guidelines :)

D'oh :( That did not jump out at me on https://www.mediawiki.org/wiki/Git/Tutorial, though it is linked out, sorry!

Change 228774 had a related patch set uploaded (by Nemo bis):
Match salt of WatchAction::show() and getWatchToken()

https://gerrit.wikimedia.org/r/228774

Change 228774 merged by jenkins-bot:
Match salt of WatchAction::show() and getWatchToken()

https://gerrit.wikimedia.org/r/228774

Legoktm assigned this task to Firebus.
Legoktm set Security to None.