* (bug 27655) Require token for watching/unwatching pages
* Previously done for API (bug 29070) in r88522
* As with markpatrolled, the tokens are not compatible and made that way on purpose. The API requires the POST method and uses a universal token per-session. Since the front-end is all GET based (also per convention like in markpatrolled and rollback) they are stronger salted (title / action specific)
* ajax.watch used the API already and was switched in r88554.
* The actual watching/unwatching code was moved from WatchAction->onView to WatchAction::doWatch. This was done to allow the API to do the action without needing to generate a token like the front-end needs (or having to duplicate code). It is now similar to RecentChange::markPatrolled (in that it also a "central" function that does not care about tokens, it's called after the token-handling)
* JavaScript / Gadgets that utilize action=watch in their scripts:
** Effects should be minimal as they should be using the API (see r88522 and wikitech-l)
** If they use index.php and scrap the link from the page, they can continue to do so.
* There are links to the watch action all over the place. I've tried to catch most of them, but there may be some I miss. Migration in most cases is just a matter of adding an array item to the $query for:
'token' => WatchAction::getWatchToken( $title, $user [, $action] )
or changing:
Action::factory( 'watch', $article )->execute();
to:
WatchAction::doWatch( $title, $user );
While replacing the usages in some cases an instance of Article() no longer had to be created, in others $wgUser had to be retrieved from global (which was implied before but needs to be given directly now)
Other notes:
* Article->unwatch() and Article->watch(), which were deprecated as of 1.18 and are no longer used in core, may be broken in scenarios where the Request does not have a 'token' but is making a call to $article->watch()
* Some extensions need to be fixed, I'm currently running a grep search and will fix them a.s.a.p
[1] http://www.mediawiki.org/wiki/ResourceLoader/Default_modules?mw.user#tokens
* Replaced wfProfileClose() and wfGetProfilingOutput() by direct calls to the Profiler instance and removed them, no uses in extensions
* Also removed useless params from Profiler::getOutput() call in wfLogProfilingData()
* Only generate profiling output if it'll be used; introduced Profiler::logData() that saves profiling data (database, udp, ...) to separate it from output generation
* Removed unused Profiler::getCaller(), not used at all, and we have wfGetCaller() that does the same thing
* Actions come in two flavours: the show-a-form-then-do-something-with-the-result (delete, protect, edit, etc) and the just-do-something (watch, rollback, patrol, etc). Create abstract base classes Action and FormlessAction to support these two cases. HTMLForm is an integral part of the form-based structure.
* Look mum, no globals! :D Fully context-based.
* Implement watch/unwatch, credits and delete actions in the new system as proof-of-concept. This also gives the delete frontend a much-needed overhaul.
* Stub out the newly-deprecated functions from Article.php. This already reduces its linecount by about 15%, and there are plenty more actions still to do.
* Centralising actions like this is going to render a lot of hooks type-incompatible. There's simply nowhere you can put the ArticleConfirmDelete hook, for instance, where it can be passed an OutputPage as the second parameter. On the other hand, we can implement new hooks like ActionModifyFormFields and ActionBeforeFormDisplay, which can do much prettier stuff to the forms, like adding extra fields the 'right' way. Update LiquidThreads to use these new hooks where appropriate.
Well, the more sane way, is just treat them seperately, than having to do $value = $value[0];, based on whether it was an array already
Cheers to Siebrand (was already poking it myself :))
Move code into getParameterFromSettings, most of the flesh is there anyway (it checks isset( $value ) ), so we can use the else to check if it's required
A followup could be to whinge if '' is returned for a string
use self consistently
Fold in duplicate loop
missingparam can be done during attempt to set ParamCache, we might aswell give up and not finish populating the param cache if we're gonna die from a missing param
* Introduced a "cache mode" concept to simplify the header generation code, and to avoid odd results when conflicting cache header requests are received from submodules, or at least to formalise the handling of such cases.
* Made the cache mode private by default, so that code written in ignorance of caching tends to be safe. If different query modules are used in a single request, private caching is preferred over public caching.
* Removed the "must-revalidate" option from all CC headers, this is really specific to page views with a hacked squid in front, I don't think it's applicable here.
* Made the watchlist module private. This is really the definition of private data. There's nothing in the HTTP spec that says the URL for a CC:public request is private and can't be leaked. CC:private provides protection against unknown proxy behaviour.
* In ApiQueryAllmessages: avoid calling $wgLang->getCode() to check if it's necessary to make a new $wgLang when lang= is specified, since this is the only thing that unstubs $wgUser.
* Removed "FIXME: should this check $user instead of $wgUser?" Answer is no.
* Define variable for ApiUserrights.php that wasn't defined before.
* Add convertVerifyErrorToStatus and getVerificationErrorCode to
UploadBase to translate error consts since UploadFromUrl will
need a message to display to end-users.
* refactor mime-checking out of UploadBase::verifyFile into
UploadBase::verifyMimeType
* Make UploadBase::verifyFile always return arrays for errors
* Use HttpFunctions instead of custom curl handler for async downloading
* TODO: Need a way to feed errors back to the requestor
* TODO: Need to add watchlist param handling and warnings checks.
Again partial fix to bug 23167
Bugfix watch on creation (edit and upload), in current form, setting unwatch, or nochange would follow watchcreation, which wasn't requested
* Refactoring ApiUpload & UploadBase to make it easier to extend & read.
* Use a class constant for the upload session key instead of a hard-coded-across-several-files value.
* Add UploadBase::appendToUploadFile() method to enable protocols that do incremental upload.
Deprecate old watch/unwatch parameters
Move generic watchlist stuff to ApiBase/getWatchlistValue (maybe needs renaming better?)
Tweak some braces in ApiEditPage
* Fix up messages
* For new FileRepo::append(), use flags to determine whether to delete or not
* Add more error checking for appending
* Fix a couple of places in Revision.php and LogPage.php where DB errors were produced when comment was null
* Remove bogus checking for !$comment, etc on the DONE phase of chunked uploading
* Don't pretend to return a value when raising an exception
* Add more tests for chunked uploads
* Verify that Status::getErrorsArray() (at least where it is used in ApiUpload::execute()) returns an array that we can pass to dieUsageMessage()
* Ensure that checkWarnings(), etc work only on the complete file
