Remove old hardcoded tokens from patrol links in Flow
Closed, ResolvedPublic

Description

In c63ea5428e2f780f7bc27eb13e05e2445abed803 and related changes, the html output is hardcoded with a token parameter.

Two problems:

  • The main interface that hooks into these links (mediawiki.page.patrol in MediaWiki core) ignores any token query parameter. It uses mediawiki.api (populated by mw.user.tokens) instead.
  • For the non-javascript interface, these tokens are hurtful as they violate the GET/POST restriction for actions like these. Using GET for these is deprecated in MediaWiki and actively blocking multi-data centre readiness of MediaWiki.

Instead, the patrol action, similar to the watch action and others, will go through a confirmation page that adds the token as part of a POST form (for users without a supported JavaScript environment).

You can simply remove these tokens and core will handle it from there. The patrol action in core currently still supports passing it by GET, but this will be removed in a few weeks.

Krinkle created this task.Nov 10 2015, 2:40 AM
Krinkle updated the task description. (Show Details)
Krinkle raised the priority of this task from to Needs Triage.
Krinkle added a subscriber: Krinkle.
Restricted Application added a project: Collaboration-Team-Triage. · View Herald TranscriptNov 10 2015, 2:40 AM
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald Transcript

Change 257655 had a related patch set uploaded (by Sbisson):
Remove hardcoded token from patrol link

https://gerrit.wikimedia.org/r/257655

SBisson triaged this task as Normal priority.Dec 8 2015, 6:12 PM
SBisson claimed this task.
SBisson set Security to None.

Change 257655 merged by jenkins-bot:
Remove hardcoded token from patrol link

https://gerrit.wikimedia.org/r/257655

Catrope closed this task as Resolved.Dec 10 2015, 6:38 PM
Catrope added a subscriber: Catrope.