From: jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
Date: Tue, 8 Sep 2015 13:41:17 +0000 (+0000)
Subject: Merge "Default the "watchlisttoken" value to a derived HMAC value"
X-Git-Tag: 1.31.0-rc.0~10096
X-Git-Url: http://git.cyclocoop.org/%40spipnet%40?a=commitdiff_plain;h=04ebf62661d52b4b83098a97164b6624fb9aebdd;hp=09f4a785b33c346f668067b526594ccbc73b8bf0;p=lhc%2Fweb%2Fwiklou.git

Merge "Default the "watchlisttoken" value to a derived HMAC value"
---

diff --git a/RELEASE-NOTES-1.26 b/RELEASE-NOTES-1.26
index ff7f884fdd..a532171d6e 100644
--- a/RELEASE-NOTES-1.26
+++ b/RELEASE-NOTES-1.26
@@ -170,6 +170,9 @@ changes to languages because of Phabricator reports.
   a lengthy deprecation period.
 * The ScopedPHPTimeout class was removed.
 * Removed maintenance script fixSlaveDesync.php.
+* Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
+  are deprecated. Applications using those can work via the OAuth
+  extension instead. New tokens types should not be added.
 
 == Compatibility ==
 
diff --git a/includes/User.php b/includes/User.php
index da8ff7925d..605dab6834 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -2438,6 +2438,7 @@ class User implements IDBAccessObject {
 	 */
 	public function setInternalPassword( $str ) {
 		$this->setToken();
+		$this->setOption( 'watchlisttoken', false );
 
 		$passwordFactory = self::getPasswordFactory();
 		$this->mPassword = $passwordFactory->newFromPlaintext( $str );
@@ -2715,20 +2716,24 @@ class User implements IDBAccessObject {
 	 * @return string|bool User's current value for the option, or false if this option is disabled.
 	 * @see resetTokenFromOption()
 	 * @see getOption()
+	 * @deprecated 1.26 Applications should use the OAuth extension
 	 */
 	public function getTokenFromOption( $oname ) {
 		global $wgHiddenPrefs;
-		if ( in_array( $oname, $wgHiddenPrefs ) ) {
+
+		$id = $this->getId();
+		if ( !$id || in_array( $oname, $wgHiddenPrefs ) ) {
 			return false;
 		}
 
 		$token = $this->getOption( $oname );
 		if ( !$token ) {
-			$token = $this->resetTokenFromOption( $oname );
-			if ( !wfReadOnly() ) {
-				$this->saveSettings();
-			}
+			// Default to a value based on the user token to avoid space
+			// wasted on storing tokens for all users. When this option
+			// is set manually by the user, only then is it stored.
+			$token = hash_hmac( 'sha1', "$oname:$id", $this->getToken() );
 		}
+
 		return $token;
 	}
 
diff --git a/includes/specials/SpecialResetTokens.php b/includes/specials/SpecialResetTokens.php
index 27a3a699ef..cba5a44930 100644
--- a/includes/specials/SpecialResetTokens.php
+++ b/includes/specials/SpecialResetTokens.php
@@ -25,6 +25,7 @@
  * Let users reset tokens like the watchlist token.
  *
  * @ingroup SpecialPage
+ * @deprecated 1.26
  */
 class SpecialResetTokens extends FormSpecialPage {
 	private $tokensList;