Page MenuHomePhabricator

Migrate mobile editor to CSRF from edit token in TalkSectionAddOverlay
Closed, ResolvedPublic3 Estimated Story Points


  1. Make sure that the MobileFrontend extension is installed.
  2. Visit a mobile talk page (e.g., http://localhost:8080/wiki/User_talk:Stephen?debug=true#/talk on your local machine)
  3. Press "add discussion" at the bottom
  4. Enter some text
  5. Press "save"

The following warning is printed to the console of your web browser's developer tools:

Use of the "edit" token is deprecated. Use "csrf" instead. http://localhost:8080/w/resources/src/mediawiki/api.js?8308a

mapLegacyToken @ api.js?8308a:47
getToken @ api.js?8308a:367
postWithToken @ api.js?8308a:315
save @ TalkSectionAddOverlay.js?5f060:160
onSaveClick @ TalkSectionAddOverlay.js?5f060:101
proxy @ load.php?debug=true&lang=en&modules=jquery%2Cmediawiki&only=scripts&skin=minerva&version=1mi7wed:496
dispatch @ load.php?debug=true&lang=en&modules=jquery%2Cmediawiki&only=scripts&skin=minerva&version=1mi7wed:5206
elemData.handle @ load.php?debug=true&lang=en&modules=jquery%2Cmediawiki&only=scripts&skin=minerva&version=1mi7wed:5014

We should migrate this code so it doesn't break unexpectedly when the old way is no longer supported.

Acceptance criteria

  • Category, Talk and Edit overlays should make use of the csrf token rather than the edit token
  • We'll probably need to update tests and add tests for the CategoryGateway
  • Previous changes have introduced bugs so we'll want to simulate a few error and success cases to verify the change has been successful

Event Timeline

ovasileva triaged this task as Medium priority.Feb 28 2018, 5:48 PM
Jdlrobson set the point value for this task to 3.
Jdlrobson lowered the priority of this task from Medium to Low.Aug 30 2018, 1:35 AM

(I tried to follow the steps and it looks like User_talk: is required instead of User:, so I boldly edited the task description.)

Change 475831 had a related patch set uploaded (by LukBukkit; owner: LukBukkit):
[mediawiki/extensions/MobileFrontend@master] Use the 'csrf' token to authenticate post requests

Change 475831 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@master] Use the 'csrf' token to authenticate post requests

I've tested editing, talk and categories on the following browsers and all work without problem:

  • Chrome mobile
  • Chrome desktop
  • Firefox desktop
  • Firefox mobile
  • Dolphin
  • Safari desktop