Page MenuHomePhabricator

Misleading starttimestamp documentation in Edit API
Closed, ResolvedPublic

Description

I believe that the internal documentation in ApiEditPage.php is misleading for the starttimestamp parameter, particularly in light of the newer action=tokens scheme.

Specifically, it states that you need to specify the time when you last retrieved the edit token. Given that edit tokens don't change across pages provided you're in the same session, a bot left running could conceivably have an edit token that's hours (or a whole lot more) old. The page being edited, however, may have just been read moments ago. From what I understand of the EditPage.php code, I believe that providing the timestamp from when the edit token was retrieved could lead to an incorrect page-deleted challenge if the page were deleted and then restored at any point after retrieving the edit token.

The text should be changed to something similar to https://www.mediawiki.org/wiki/Manual:Parameters_to_index.php, since the API edit is just a wrapper around EditPage.php anyway.

Now, assuming that everything I said above is correct, this then leads to the question: why have starttimestamp at all, since it should really be the same as basetimestamp in all cases, unless I've grossly misunderstood something. I'll leave that assertion to be confirmed (and posted?) by those more familiar with MediaWiki than I am.


Version: 1.22.0
Severity: normal

Details

Reference
bz61412

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 2:56 AM
bzimport set Reference to bz61412.
bzimport added a subscriber: Unknown Object (MLST).

(In reply to Robert Morley from comment #0)

Now, assuming that everything I said above is correct, this then leads to
the question: why have starttimestamp at all, since it should really be the
same as basetimestamp in all cases, unless I've grossly misunderstood
something.

You have. Doing as you propose would reopen bug 15647.

The text should be changed to something similar to
https://www.mediawiki.org/wiki/Manual:Parameters_to_index.php, since the API
edit is just a wrapper around EditPage.php anyway.

Personally, I find that slightly vague for the API. Maybe just a clarification along the lines of "Timestamp when you started editing the page, e.g. when you fetched the current revision's text to begin editing it or checked the (non-)existence of the page."

At any rate, once the wording is decided on this would be easy enough for someone to fix.

Yes, as I thought about it more, I realized why there needed to be a second time, since you might have loaded a version that has now been deleted and should not be restored.

This makes me wonder if the token timestamp should perhaps be decoupled from the token itself. If you don't get the load time from the server through some method, it opens up the possibility that the edit time you submit may be off by a few seconds and fail to flag a conflict.

As for the wording itself, what you used above covers all the bases, I think.

https://www.mediawiki.org/wiki/API:Edit was updated shortly after this bug was filed in February with the discussed language regarding 'starttimestamp'. Besides that page is there another location that would benefit from clarification? If not, this ticket could be closed.

The help text in ApiEditPage.php reads correctly now, so I'd say this can be closed.