Hey everybody,
This was already posted to Mediawiki-api-announce, x-posting here for
increased visibility as this change should be in production this week.
With the merge of Icb674095,[1] use of API action=logout will require
a CSRF token. This was considered a security issue, so the usual
deprecation process was not followed. See T25227[2] for details.
Clients that do not use a CSRF token with action=logout will receive a
badtoken error message ***and will not be logged out***.
This change should be deployed to Wikimedia wikis with 1.34.0-wmf.3.
See
https://www.mediawiki.org/wiki/MediaWiki_1.34/Roadmap for a
schedule.
Overall client impact is expected to be relatively low, as gathered
statistics indicate there are relatively few users of this API call.
None the less, maintainers should check their code for use of
action=logout and update as necessary to maintain expected operation.
[1]:
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/504565
[2]:
https://phabricator.wikimedia.orgdo not use /T25227
<https://phabricator.wikimedia.org/T25227>
[3]:
https://phabricator.wikimedia.org/T25227#4902709
--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation