Page MenuHomePhabricator

Remove old hardcoded tokens from patrol links in Flow
Closed, ResolvedPublic

Description

In c63ea5428e2f780f7bc27eb13e05e2445abed803 and related changes, the html output is hardcoded with a token parameter.

Two problems:

  • The main interface that hooks into these links (mediawiki.page.patrol in MediaWiki core) ignores any token query parameter. It uses mediawiki.api (populated by mw.user.tokens) instead.
  • For the non-javascript interface, these tokens are hurtful as they violate the GET/POST restriction for actions like these. Using GET for these is deprecated in MediaWiki and actively blocking multi-data centre readiness of MediaWiki.

Instead, the patrol action, similar to the watch action and others, will go through a confirmation page that adds the token as part of a POST form (for users without a supported JavaScript environment).

You can simply remove these tokens and core will handle it from there. The patrol action in core currently still supports passing it by GET, but this will be removed in a few weeks.

Event Timeline

Krinkle raised the priority of this task from to Needs Triage.
Krinkle updated the task description. (Show Details)
Krinkle added a subscriber: Krinkle.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald Transcript

Change 257655 had a related patch set uploaded (by Sbisson):
Remove hardcoded token from patrol link

https://gerrit.wikimedia.org/r/257655

SBisson triaged this task as Medium priority.
SBisson set Security to None.

Change 257655 merged by jenkins-bot:
Remove hardcoded token from patrol link

https://gerrit.wikimedia.org/r/257655

Catrope added a subscriber: Catrope.