The new† AJAX method of watching pages, implemented in /resources/mediawiki.page/mediawiki.page.watch.ajax.js, makes uses of the MW API methods for watching pages (http://www.mediawiki.org/wiki/API:Watch).
Unfortunately, this API method is part of the editing API and as such requires $wgEnableWriteAPI to be enabled *and* the writeapi right.
As $wgEnableWriteAPI is enabled by default since 1.14, it’s somewhat safe to assume that it is enabled. The writeapi right however should not be required for a basic functionality such as watching pages.
On our wiki, we have the writeapi enabled for autoconfirmed users and above. This is mainly to prevent vandals to create new users and then use the API to quickly vandalize the wiki (yes, that has happened before).
Now with the new AJAX functionality, this implies that only autoconfirmed users can watch pages. This is a terrible usability issue.
Watching pages, which is a very fundamental functionality for registered users, should not be restricted by either the writeapi right, or even the $egEnableWriteAPI setting. It makes perfect sense for wikis to disable the write API altogether while still expecting users to be able to watch pages.
In a first step, I would argue why watching pages via the API even requires the write API. Yes, it is a “changing” operation, but it should not be considered an operation that changes wiki *content*. And it is restricted to the current user anyway.
In a second step though, I think that such AJAX functionality should not make use of the API at all, *if* said API can be disabled. Watching pages should use a separate API which is not affected by the $wgEnableWriteAPI and $wgEnableAPI setting.
† I actually have no idea when that was added; I have been stuck on a old MW version for quite a while now.
Version: 1.20.x
Severity: major