Aside from the front-end (bug 27655) the API needs to require a token as well.
Version: 1.18.x
Severity: normal
Description
Description
Details
Details
- Reference
- bz29070
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | None | T29655 Require token for watching/unwatching pages | |||
| Resolved | Catrope | T31070 Require a token in API action=watch |
Event Timeline
Comment Actions
Bryan.TongMinh wrote:
Please note that the token should be salted to prevent edit token leakage.
Comment Actions
markpatrolled requires a POST. I think it would make sense to require this for watching as well.
On the other hand, with markpatrolled we ended up with a token that is not compatible between index.php and api.php (presumably becuase index.php should not be POST for common actions and thus got an extra salt layer). Gadgets that attempted to use the API to mark stuff as patrolled first have to make an API request to get the token, the one already on the page was not compatible.
If we could it would be great if the tokens would be the same to avoid doing the same as we did with markpatrolled. However this may have been done on purpose. I guess once bug 29067 is fixed, we don't have to worry about that anymore since gadgets could just get their tokens from there.