On Thu, Jul 23, 2009 at 2:32 PM, Cody
Jung<funkycat32(a)gmail.com>
wrote:
Wouldn't adding a salt fix this? They would
have to have both the
username, the database, and the salt value to decrypt the wiki list.
In other words, they would have to have access to your server, nothing
more. No, it wouldn't fix it.
After some discussion in #wikimedia-toolserver, Duesentrieb pointed
out that a) this issue would be solved if MediaWiki just allowed RSS
feeds for watchlists, and b) it would probably take less work for me
to add that feature to MediaWiki than to develop an authentication
framework that would allow users to securely permit toolserver apps
access to their watchlists. MrZ-man helpfully pointed out that the
API already supports watchlist feeds, so I was able to hack on support
for token-based authentication pretty easily:
http://www.mediawiki.org/wiki/Special:Code/MediaWiki/53703
Major limitations right now are 1) the default is an empty string,
which means "don't use", so it's opt-in; 2) the URL for the feed
isn't
actually output anywhere. Watchlist aggregators should now be easy to
set up, plus people can just use their favorite feed reader.
Awesome, I've been meaning to implement this for ages.
Some feedback:
* I think you should create a new field class for preferences to allow
the user to enter a token or press a button to have one generated.
This would also allow you to add the link to the feed underneath.
* I think you should add appropriate meta tags and sidebar links to
the RSS feed.
--
Andrew Garrett
agarrett(a)wikimedia.org