git.heureux-cyclage.org - lhc/web/wiklou.git/commit

author	Timo Tijhof <krinklemail@gmail.com>
	Mon, 28 Sep 2015 21:32:45 +0000 (14:32 -0700)
committer	Timo Tijhof <krinklemail@gmail.com>
	Mon, 28 Sep 2015 22:21:12 +0000 (15:21 -0700)
commit	77cdf1919a418fa1c306b066259b2a4e4300eb6d
tree	c07174b21441182f32fc9b950ee1d8dca8d40acf	tree \| snapshot
parent	5ca028cac137fae6e539a06dcc554a0854b45221	commit \| diff

WatchAction: Require POST for index.php action=watch

The GET variant was already rarely used because our frontend enchances these links
with a click handler that uses AJAX to make a POST request to the API.
The index.php url, nor its token, were used for the majority of users.

Simplify this by stripping the 'token' query from these urls and requiring a POST
request for index.php?action=watch and unwatch.

* FormAction: Actually set a proper '<form action>' instead of letting HTMLForm
  default to a confusing title path (e.g. /wiki/Pagename). Article path should
  not be used for POST requests.

* WatchAction: Group all FormAction-related methods together.

* WatchAction: Make token consistent with other actions now that it is POST-only
  (no "stronger" salt containing the page title).

* Remove ununsed mediawiki.page.startup dependency from mediawiki.page.watch.ajax.

* WatchAction: If accessed over GET directly (e.g. for users without javascript)
  display a confirmation form that submits the token. Similar to PurgeAction.

Change-Id: I504f457e68a133bcfc418cff13b838080fec1008

includes/actions/Action.php		diff \| blob \| history
includes/actions/FormAction.php		diff \| blob \| history
includes/actions/WatchAction.php		diff \| blob \| history
includes/skins/SkinTemplate.php		diff \| blob \| history
includes/specials/SpecialUnwatchedpages.php		diff \| blob \| history
resources/Resources.php		diff \| blob \| history