See my comments on r75274, for which this is a follow-up. Using a dedicated, but constant patrol token is in my opinion the optimal compromise between performance (only require fetching the token once) and security (leaking the token will only compromise the patrolling feature).
$this->getResult()->addValue( null, $this->getModuleName(), $result );
}
+ public function mustBePosted() {
+ return true;
+ }
+
public function isWriteMode() {
return true;
}
}
public function getTokenSalt() {
- $params = $this->extractRequestParams();
- return $params['rcid'];
+ return 'patrol';
}
protected function getExamples() {
'unblock' => array( 'ApiQueryInfo', 'getUnblockToken' ),
'email' => array( 'ApiQueryInfo', 'getEmailToken' ),
'import' => array( 'ApiQueryInfo', 'getImportToken' ),
+ 'patrol' => array( 'ApiQueryRecentChanges', 'getPatrolToken' ),
);
wfRunHooks( 'APIQueryInfoTokens', array( &$this->tokenFunctions ) );
return $this->tokenFunctions;
return false;
}
- return $wgUser->editToken( $rc->getAttribute( 'rc_id' ) );
+ // The patrol token is always the same, let's exploit that
+ static $cachedPatrolToken = null;
+ if ( is_null( $cachedPatrolToken ) ) {
+ $cachedPatrolToken = $wgUser->editToken( 'patrol' );
+ }
+
+ return $cachedPatrolToken;
}
/**