Page MenuHomePhabricator

Require a token in API action=watch
Closed, ResolvedPublic


Aside from the front-end (bug 27655) the API needs to require a token as well.

Version: 1.18.x
Severity: normal



Related Objects

Event Timeline

bzimport raised the priority of this task from to High.Nov 21 2014, 11:38 PM
bzimport set Reference to bz29070.

Bryan.TongMinh wrote:

Please note that the token should be salted to prevent edit token leakage.

markpatrolled requires a POST. I think it would make sense to require this for watching as well.

On the other hand, with markpatrolled we ended up with a token that is not compatible between index.php and api.php (presumably becuase index.php should not be POST for common actions and thus got an extra salt layer). Gadgets that attempted to use the API to mark stuff as patrolled first have to make an API request to get the token, the one already on the page was not compatible.

If we could it would be great if the tokens would be the same to avoid doing the same as we did with markpatrolled. However this may have been done on purpose. I guess once bug 29067 is fixed, we don't have to worry about that anymore since gadgets could just get their tokens from there.

Bryan.TongMinh wrote:

Breaking change, needs announce mail.

I suggest waiting until bug 27655 is fixed as well.