Author: brandonskypimenta
Description:
When marking pages as patrolled by appending ?action=markpatrolled at the end of the URL, you will get the following error:
There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Go back to the previous page, reload that page and then try again.
Return to Main Page.
Version: 1.17.x
Severity: normal
This is because you're missing the rcid parameter. This is required for marking a page patrolled.
You really shouldn't be attempting to automatically mark pages patrolled anyway.
To patrol changes use Special:RecentChanges or Special:NewPages, visiting action=markpatrolled directly does not work as patrolling is per-revision not per-page. It needs a token, also.
The error could be improved though.
(In reply to comment #1)
This is because you're missing the rcid parameter. This is required for
marking a page patrolled.
I don't think this is strictly true. Looking at the "Mark this page as patrolled" link on Meta-Wiki (specifically here: https://meta.wikimedia.org/w/index.php?title=Wikimedia_Highlights,_February_2012/fi&redirect=no&rcid=3377713), it includes a (pre-filled) token parameter. For example, the link I currently have looks like this: https://meta.wikimedia.org/w/index.php?title=Wikimedia_Highlights,_February_2012/fi&action=markpatrolled&rcid=3377713&token=8db654c84c7c9ec5221fb5a3966aaf63%2B%5C. I believe the token URL parameter is the key missing element here. The token parameter looks like a protection against nefarious GET requests.
Looking at [mediawiki/core.git] / includes / actions / MarkpatrolledAction.php seems to confirm this:
$user = $this->getUser();
if ( !$user->matchEditToken( $request->getVal( 'token' ), $rcId ) ) {
throw new ErrorPageError( 'sessionfailure-title', 'sessionfailure' );
}You really shouldn't be attempting to automatically mark pages patrolled
anyway.
I don't think this is the bug here, though I do agree that this bug sounds invalid. People trying to mark pages as patrolled ought to use MediaWiki's API: https://www.mediawiki.org/w/api.php (search for "action=patrol"). The token parameter will still be required via the API, however. You can retrieve it using list=recentchanges, according to the docs.
(Hmm, the token parameter isn't marked as required, though. Hmmmm.)
(In reply to comment #3)
(In reply to comment #1)
This is because you're missing the rcid parameter. This is required for
marking a page patrolled.I don't think this is strictly true. Looking at [..] it includes a (pre-filled) token parameter.
[..] https://meta.wikimedia.org/w/index.php?title=Wikimedia_Highlights,_February_2012/fi&action=markpatrolled&rcid=3377713&token=8db654c84c7c9ec5221fb5a3966aaf63%2B%5C
Both the rcid and token are required. The rcid to identify which event you're patrolling. This has always been required, without this the action is pointless as there is no action (like visiting action=delete without a title parameter). And the token is indeed a security measure to avoid CSRF attacks by loading a action=markpatrolled url from within another website and have it work because you're logged in.
(In reply to comment #3)
(Hmm, the token parameter isn't marked as required, though. Hmmmm.)
I filed this as bug 38190, in case anyone cares.
(In reply to comment #2)
To patrol changes use Special:RecentChanges or Special:NewPages, visiting
action=markpatrolled directly does not work as patrolling is per-revision not
per-page. It needs a token, also.The error could be improved though.
I'm not sure the user behavior here (appending "?action=markpatrolled" to the end of the URL) justifies changing the error message. Is there a reasonable expectation that this will work?
(In reply to comment #6)
(In reply to comment #2)
To patrol changes use Special:RecentChanges or Special:NewPages, visiting
action=markpatrolled directly does not work as patrolling is per-revision not
per-page. It needs a token, also.The error could be improved though.
I'm not sure the user behavior here (appending "?action=markpatrolled" to the
end of the URL) justifies changing the error message. Is there a reasonable
expectation that this will work?
No, its like going to http://www.mediawiki.org/w/index.php?action=delete and expecting something to delete, even though that's impossible no deletion target is provided.
Likewise markpatrolled applies to a recent change (identified by the rcid), and all links interface do this correctly. Appending that manually means nothing.
I guess the user may have the patrolling system confused with something like Extension:FlaggedRevs, which is per-page, as supposed to the patrolling system, which is per-edit.
[1] Yes, I know FlaggedRevs flags revisions, not pages. But the flag evaluates for the whole revision content, not the edit itself and as such represents the page state and effects which revision is shown when the page is accessed etc.
(In reply to comment #7)
I'm not sure the user behavior here (appending "?action=markpatrolled" to the
end of the URL) justifies changing the error message. Is there a reasonable
expectation that this will work?No, its like going to http://www.mediawiki.org/w/index.php?action=delete and
expecting something to delete, even though that's impossible no deletion target
is provided.Likewise markpatrolled applies to a recent change (identified by the rcid), and
all links interface do this correctly. Appending that manually means nothing.
If it's unreasonable to expect appending to the URL to work, I don't think the error message needs to be clarified/improved and I don't think there's anything actionable in this bug.
Do you see anything that's actionable?