Page MenuHomePhabricator
Create Task
Maniphest T40190

API help docs should document "token" as param-required for modules that use tokens
Closed, ResolvedPublic
Actions

Description

Looking at https://www.mediawiki.org/w/api.php, the auto-generated documentation for action=patrol reads:

  • action=patrol * Patrol a page or revision

This module requires read rights
This module requires write rights
This module only accepts POST requests
Parameters:

token               - Patrol token obtained from list=recentchanges
rcid                - Recentchanges ID to patrol
                      This parameter is required

The token parameter is required with action=patrol, so it should be marked as such (with the text "This parameter is required").

This same problem (token parameter not being marked as required) may apply to a few other parts of the MediaWiki API's auto-generated documentation. For now, I'm focused on action=patrol.

Version: unspecified
Severity: normal

Details

Reference
bz38190

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 12:57 AM
bzimport added a project: MediaWiki-Action-API.
bzimport set Reference to bz38190.
bzimport added a subscriber: Unknown Object (MLST).
MZMcBride created this task.Jul 5 2012, 8:05 AM
Krinkle added a comment.Jul 5 2012, 8:09 AM

None of the API modules that use the built-in method for token handling are have their "token" parameter documented as "This parameter is required".

The built-in (and recommended) method is:

  • getTokenSalt(): string
  • needsToken(): true

e.g. ApiBlock, ApiDelete, ApiEdit, ApiPatrol.

Umherirrender added a comment.Jul 5 2012, 4:06 PM

Sounds like a good idea, but you cannot set it for all modules with a token, because modules with "gettoken" (like block/unblock) needs a optional token param.

Umherirrender added a comment.Jul 7 2012, 6:29 AM

Done for core with gerrit 14608

Krinkle added a comment.Jul 8 2012, 10:46 PM

(In reply to comment #2)

Sounds like a good idea, but you cannot set it for all modules with a token,
because modules with "gettoken" (like block/unblock) needs a optional token
param.

The modules have needsToken: return true;

And ApiBase:

		if ( $params ) {
			foreach ( $params as $paramName => $paramSettings ) {
				if ( isset( $paramSettings[ApiBase::PARAM_REQUIRED] ) ) {
					$ret[] = array( 'missingparam', $paramName );
				}
			}
		}
		/* .. */
		if ( $this->needsToken() ) {
			$ret[] = array( 'missingparam', 'token' );
		/* .. */

So it looks like this isn't working properly?

Umherirrender added a comment.Jul 13 2012, 2:25 PM

(In reply to comment #4)

So it looks like this isn't working properly?

It works (you have to set the user param, but it works), you get the token and a warning about "The gettoken parameter has been deprecated.".

You code snap is from method ApiBase::getPossibleErrors which only gets all possible errors for action=paraminfo. it will never trigger the error.

In ApiMain::setupModule the check for the token param exist.

It looks like needsToken is superseeded by getTokenSalt.

Umherirrender added a comment.Jul 21 2012, 2:49 PM

successfully merged for core (under that this bug was filled)

Please create seperate bugs for extensions. Thanks.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL