Page MenuHomePhabricator

Make ?action=markpatrolled require POST
Closed, ResolvedPublic


This would avoid DBPerformance log warnings about DB updates on HTTP GET

Event Timeline

aaron triaged this task as Low priority.Mar 28 2016, 6:37 PM
Krinkle raised the priority of this task from Low to Needs Triage.Mar 28 2016, 6:37 PM
Krinkle triaged this task as Low priority.
Krinkle added a project: MediaWiki-Patrolling.
Krinkle added a subscriber: Krinkle.

In principle, MediaWiki already attaches JS click handlers to these links and submits POST to the API to perform the action.

However there are two cases in which this may still cause the action to happen over GET outside the API:

  • The html output still provides a token in the query parameter of the fallback url. Which means in case javascript didn't initialise for this browser, the fallback is to perform the action immediately instead of linking to an interstitial form (like we do with purge and watch).
  • Some pages may be missing the ajax module and thus have the fallback for everyone on those pages.

The first action item would be to remove support for token on that entry point over GET so that even in the current implementation (and any stray pointers from gadgets potentially) will naturally end up serving the POST-ification form instead. We did this with watch already I think. And I'm doing the same with rollback too.

aaron renamed this task from Replace ?action=markpatrolled links with JS that does an API POST to Make ?action=markpatrolled require POST.Jun 20 2016, 9:21 PM

Change 318124 had a related patch set uploaded (by Krinkle):
[WIP] Convert action=markpatrolled fallback to use POST

Change 318124 merged by jenkins-bot:
Convert action=markpatrolled fallback interface to HTTP POST