Page MenuHomePhabricator
Create Task
Maniphest T43956

Document how to implement tokens in (extension) api modules
Closed, ResolvedPublic
Actions

Description

Currently I'm using code like this:

// Before MW 1.20
$wgHooks['ApiTokensGetTokenTypes'][] = 'ApiTranslationReview::injectTokenFunction';
// After MW 1.20
$wgHooks['APIQueryInfoTokens'][] = 'ApiTranslationReview::injectTokenFunction';

	public static function getToken() {
		global $wgUser;
		if ( !$wgUser->isAllowed( self::$right ) ) {
			return false;
		}

		return $wgUser->getEditToken( self::$salt );
	}

	public static function injectTokenFunction( &$list ) {
		$list['translationreview'] = array( __CLASS__, 'getToken' );
		return true; // Hooks must return bool
	}

However, I'd like to get rid of the global wgUser. Please document the best way to implement tokens for version 1.19 and above.

Version: 1.21.x
Severity: normal

Details

Reference
bz41956

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:54 AM
bzimport added a project: MediaWiki-Action-API.
bzimport set Reference to bz41956.
Nikerabbit created this task.Nov 10 2012, 4:53 AM
Anomie added a comment.Nov 13 2012, 5:14 PM

That's probably the best way at the moment. All the core token-getting functions seem to use $wgUser, too.

Anomie added a comment.Sep 16 2014, 9:16 PM

Since Gerrit change 153110, things have gotten much simpler. Now most API modules will just implement ApiBase::needsToken

public function needsToken() {
    return 'csrf';
}

Using custom salts is discouraged, but if necessary is accomplished using the 'ApiQueryTokensRegisterTypes' hook:

$wgHooks['ApiQueryTokensRegisterTypes'][] = function ( &$salts ) {
    $salts['mytokentype'] = 'salt';
    return true;
};

(then needsToken() would return 'mytokentype' instead of 'csrf')

Nikerabbit added a comment.Sep 17 2014, 9:22 AM

Wonderful. Can someone make sure this ends up in a some wiki page which extension developers can easily find?

Nemo_bis added a comment.Oct 6 2014, 6:58 AM

Assigning to Brad as patch author and only person knowing about the feature.

Aklapper added a project: Documentation.Jan 7 2015, 3:31 PM
Anomie updated the task description. (Show Details)Jan 7 2015, 3:37 PM
Anomie set Security to None.
Anomie removed Anomie as the assignee of this task.Feb 19 2015, 7:19 PM
Anomie moved this task from Unsorted to Non-Code on the MediaWiki-Action-API board.
MarcoAurelio removed a parent task: T2001: [DO NOT USE] Documentation is out of date, incomplete (tracking) [superseded by #Documentation].Dec 6 2017, 7:32 PM
srodlund moved this task from Backlog to API Documentation Request on the Documentation board.Aug 17 2018, 6:31 PM
DannyS712 closed this task as Resolved.Feb 15 2020, 1:43 AM
DannyS712 claimed this task.
DannyS712 subscribed.

Added link to https://www.mediawiki.org/wiki/Manual:Hooks/ApiQueryTokensRegisterTypes in https://www.mediawiki.org/wiki/API:Extensions#Token_handling

Restricted Application added a project: User-DannyS712. · View Herald TranscriptFeb 15 2020, 1:43 AM
DannyS712 moved this task from Unsorted to Otherwise closed on the User-DannyS712 board.May 27 2020, 8:24 AM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL