Fix the (un)watch token to include the namespace name.

Title::getDBkey() only returns the page name without the namespace
which means that "Test" and "User:Test" (for example) pages would
have the same token; use Title::getPrefixedDBkey() instead to
avoid this.

Change-Id: I80333b23cec0cfe6546f6e7776b0a77b56ee20c8

diff --git a/includes/actions/WatchAction.php b/includes/actions/WatchAction.php
index 2c7502e..3b3ae1d 100644 (file)
--- a/includes/actions/WatchAction.php
+++ b/includes/actions/WatchAction.php
@@ -185,7 +185,7 @@ class WatchAction extends FormAction {
                if ( $action != 'unwatch' ) {
                        $action = 'watch';
                }
-               $salt = array( $action, $title->getDBkey() );
+               $salt = array( $action, $title->getPrefixedDBkey() );
 
                // This token stronger salted and not compatible with ApiWatch
                // It's title/action specific because index.php is GET and API is POST