This would avoid DBPerformance log warnings about DB updates on HTTP GET
Description
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Convert action=markpatrolled fallback interface to HTTP POST | mediawiki/core | master | +69 -35 |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | aaron | T88445 MediaWiki active/active datacenter investigation and work (tracking) | |||
Resolved | Krinkle | T130946 Make ?action=markpatrolled require POST |
Event Timeline
In principle, MediaWiki already attaches JS click handlers to these links and submits POST to the API to perform the action.
However there are two cases in which this may still cause the action to happen over GET outside the API:
- The html output still provides a token in the query parameter of the fallback url. Which means in case javascript didn't initialise for this browser, the fallback is to perform the action immediately instead of linking to an interstitial form (like we do with purge and watch).
- Some pages may be missing the ajax module and thus have the fallback for everyone on those pages.
The first action item would be to remove support for token on that entry point over GET so that even in the current implementation (and any stray pointers from gadgets potentially) will naturally end up serving the POST-ification form instead. We did this with watch already I think. And I'm doing the same with rollback too.
Change 318124 had a related patch set uploaded (by Krinkle):
[WIP] Convert action=markpatrolled fallback to use POST
Change 318124 merged by jenkins-bot:
Convert action=markpatrolled fallback interface to HTTP POST