Page MenuHomePhabricator

SF AutoEdit API doesn't require edit token
Closed, ResolvedPublic

Description

I noticed that when I pass an edit token to the SF AutoEdit API it gives a warning:

… 'warnings': {'main': {'*': "Unrecognized parameters: 'Team', 'token'"}}

(Ignore the Team one, that's my issue).

It seems that this API probably should handle, and even better, require and edit token given the function.


Version: master
Severity: major

Details

Reference
bz51505

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 2:07 AM
bzimport set Reference to bz51505.

aditya.iiita102 wrote:

Please tell how to reproduce this bug. I wasn't able to build the exact api url... Please share the URL if possible.

Sorry for not getting that to you, but you figured it out. In essence, that edit should NOT work without the token, but it does.

Change 121698 had a related patch set uploaded by Pawanseerwani:
Add token parameter to SF Autoedit API

https://gerrit.wikimedia.org/r/121698

pawanseerwani+bugzilla wrote:

Hi,
I have submitted a patch which solves the issue. It takes the hash string in token parameter and checks it at backend and throws an exception if its incorrect token.

But my concern is how does the mediawiki user generate this token?

@Jamie Thingelstad: Do you have the possibility to test the patch? I think it should work, but I am not too much into API stuff, so I'd really like somebody else to have a look. (Be aware that this patch right now will cause SF to reject it's own forms, since they do not contain the token yet. This means editing is only possible using the API.)

Change 121698 merged by Foxtrott:
Add token parameter to SF Autoedit API

https://gerrit.wikimedia.org/r/121698

Note that the code has somehow made Semantic Forms incompatible with my use of Auth_remoteuser. See my lengthy report on the talk page for more information.