Page MenuHomePhabricator

Migrate mobile editor to CSRF from edit token in TalkSectionAddOverlay
Closed, ResolvedPublic3 Story Points

Description

  1. Make sure that the MobileFrontend extension is installed.
  2. Visit a mobile talk page (e.g., http://localhost:8080/wiki/User_talk:Stephen?debug=true#/talk on your local machine)
  3. Press "add discussion" at the bottom
  4. Enter some text
  5. Press "save"

The following warning is printed to the console of your web browser's developer tools:

Use of the "edit" token is deprecated. Use "csrf" instead. http://localhost:8080/w/resources/src/mediawiki/api.js?8308a

mapLegacyToken @ api.js?8308a:47
getToken @ api.js?8308a:367
postWithToken @ api.js?8308a:315
save @ TalkSectionAddOverlay.js?5f060:160
onSaveClick @ TalkSectionAddOverlay.js?5f060:101
proxy @ load.php?debug=true&lang=en&modules=jquery%2Cmediawiki&only=scripts&skin=minerva&version=1mi7wed:496
dispatch @ load.php?debug=true&lang=en&modules=jquery%2Cmediawiki&only=scripts&skin=minerva&version=1mi7wed:5206
elemData.handle @ load.php?debug=true&lang=en&modules=jquery%2Cmediawiki&only=scripts&skin=minerva&version=1mi7wed:5014

We should migrate this code so it doesn't break unexpectedly when the old way is no longer supported.

Acceptance criteria

  • Category, Talk and Edit overlays should make use of the csrf token rather than the edit token
  • We'll probably need to update tests and add tests for the CategoryGateway
  • Previous changes have introduced bugs so we'll want to simulate a few error and success cases to verify the change has been successful

Details

Related Gerrit Patches:
mediawiki/extensions/MobileFrontend : masterUse the 'csrf' token to authenticate post requests

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 27 2018, 10:00 PM
ovasileva triaged this task as Medium priority.Feb 28 2018, 5:48 PM
Jdlrobson updated the task description. (Show Details)Mar 6 2018, 5:50 PM
Jdlrobson updated the task description. (Show Details)Mar 6 2018, 5:53 PM
Jdlrobson set the point value for this task to 3.
Jdlrobson lowered the priority of this task from Medium to Low.Aug 30 2018, 1:35 AM
Aklapper updated the task description. (Show Details)Oct 5 2018, 11:17 AM
Aklapper updated the task description. (Show Details)Oct 5 2018, 11:21 AM

(I tried to follow the steps and it looks like User_talk: is required instead of User:, so I boldly edited the task description.)

Change 475831 had a related patch set uploaded (by LukBukkit; owner: LukBukkit):
[mediawiki/extensions/MobileFrontend@master] Use the 'csrf' token to authenticate post requests

https://gerrit.wikimedia.org/r/475831

Change 475831 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@master] Use the 'csrf' token to authenticate post requests

https://gerrit.wikimedia.org/r/475831

Jdlrobson updated the task description. (Show Details)Nov 28 2018, 2:08 AM
Jdlrobson added a subscriber: LukBukkit.
Jdlrobson closed this task as Resolved.Nov 29 2018, 7:20 PM

I've tested editing, talk and categories on the following browsers and all work without problem:

  • Chrome mobile
  • Chrome desktop
  • Firefox desktop
  • Firefox mobile
  • Dolphin
  • Safari desktop