Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Page MenuHomePhabricator
Create Task
Maniphest T130112

Cannot fetch login token from action=query&meta=tokens on private wikis
Closed, ResolvedPublic
Actions

Description

rMW94ba53f67731: Move CSRF token handling into MediaWiki\Session\Session deprecated fetching login and account creation tokens via a NeedToken response from action=login and action=createaccount, in favor of using action=query&meta=tokens. However, attempting to access that on a private wiki results in a "readapidenied" error, because action=query requires read mode even though ApiQueryTokens itself doesn't.

Details

SubjectRepoBranchLines +/-
API: Allow fetching login token from action=query&meta=tokens on private wikismediawiki/coremaster+20 -0
Customize query in gerrit

Related Objects

Event Timeline

Anomie created this task.Mar 16 2016, 2:34 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 16 2016, 2:34 PM
gerritbot subscribed.Mar 16 2016, 2:43 PM

Change 277778 had a related patch set uploaded (by Anomie):
API: Allow fetching login token from action=query&meta=tokens on private wikis

https://gerrit.wikimedia.org/r/277778

gerritbot added a project: Patch-For-Review.Mar 16 2016, 2:43 PM
gerritbot added a comment.Mar 18 2016, 10:19 PM

Change 277778 merged by jenkins-bot:
API: Allow fetching login token from action=query&meta=tokens on private wikis

https://gerrit.wikimedia.org/r/277778

ReleaseTaggerBot added projects: MW-1.27-release-notes, MW-1.27-release (WMF-deploy-2016-03-22_(1.27.0-wmf.18)).Mar 18 2016, 11:00 PM
jayvdb subscribed.Mar 18 2016, 11:38 PM

Does this mean the login sequence on a private wiki is different from a public wiki?

Umherirrender closed this task as Resolved.Mar 19 2016, 10:42 AM
Umherirrender subscribed.
In T130112#2135840, @jayvdb wrote:

Does this mean the login sequence on a private wiki is different from a public wiki?

Due to the fix, there is no difference after deployment of that fix.

jayvdb added a comment.Mar 19 2016, 3:03 PM
In T130112#2136274, @Umherirrender wrote:
In T130112#2135840, @jayvdb wrote:

Does this mean the login sequence on a private wiki is different from a public wiki?

Due to the fix, there is no difference after deployment of that fix.

Before this fix, ...

Was it possible to log on using the API to a private wiki?
If so, did that involve using a deprecated API?
If so, which released versions are affected?
Does this fix need to be backported?

i.e. from a client perspective (such as pywikibot), when trying to access a private wiki with a version before this fix ... what did they need to do? what should they need to do?

Umherirrender added a comment.Mar 19 2016, 3:25 PM

The above linked login change which introduce the bug was part of the SessionManager which was part of 1.27.0-wmf.12, this fix is now part of 1.27.0-wmf.18, so no release seems affected from this bug, no need for backport.

The easiert way to handle this is to fallback to deprecated login with NeedToken, when getting an readapidenied error from meta=tokens in a MediaWiki with a version of 1.27.0.

jayvdb added a comment.Mar 19 2016, 3:31 PM
In T130112#2136626, @Umherirrender wrote:

The above linked login change which introduce the bug was part of the SessionManager which was part of 1.27.0-wmf.12, this fix is now part of 1.27.0-wmf.18, so no release seems affected from this bug, no need for backport.

Great! Thanks for clarifying so I didnt need to figure that out.

The easiert way to handle this is to fallback to deprecated login with NeedToken, when getting an readapidenied error from meta=tokens in a MediaWiki with a version of 1.27.0.

OK, I'll look into that. As it isnt a released bug, it might instead be simpler to blacklist using private wikis with -wmf.12 to 17 - it will become a very rare scenario quite quickly.

zhuyifei1999 mentioned this in T153903: Pywikibot cannot log into a private wiki.Feb 3 2017, 1:37 PM
Anomie mentioned this in T245149: API readapidenied with private wiki on v1.34.Feb 14 2020, 8:03 PM
S0ring mentioned this in T256351: readapidenied: Collection extension is not working for private wiki's.Jun 25 2020, 6:59 AM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits