Page MenuHomePhabricator
Create Task
Maniphest T267493

WikimediaApiPortalOAuth nit picks/minor CR
Open, MediumPublic
Actions

Description

Stuff I noticed while doing T254947: Security Review Request for WikimediaApiPortalOAuth Extension

[DONE] 1. Config default

Fixed by https://gerrit.wikimedia.org/r/639946

		"WikimediaApiPortalOAuthMetaRestURL": {
			"value": "",
			"description": "URL to rest.php on Meta"
		}

If that's to meta... You might aswell just set it in extension.json and override (if needed for beta) as appropriate, rather than setting it in CommonSettings/InitialiseSettings.php later. "extensions should have sane config defaults". Also, there's no validation that this is actually set anywhere. Setting a default that isn't "" would probably fix that requirement

[DONE] 2. Confirm-email message

The extra "joining" text was removed.

	"wikimediaapiportaloauth-email-not-confirmed": "Thanks for joining Wikimedia! Before you can create your first API client, please [[Special:ConfirmEmail|confirm your email address]]."

"joining Wikimedia"? Feels oddly worded. "joining the Wikimedia Movement" or something might make more sense

3. OAuth admins link
	"wikimediaapiportaloauth-ui-client-status-proposed-help": "Before your client can be authorized by other users, it must be reviewed and approved by Wikimedia OAuth admins.",

Wikimedia OAuth admins feels like it should be linked to somewhere

4. Credentials doc link
	"wikimediaapiportaloauth-ui-client-secret-alert": "Save these credentials securely. You won't be able to access them again through the API Portal.",

Seems ripe for a link for some documentation, like in wikimediaapiportaloauth-ui-client-field-confidential. Maybe also mention they can be reset.

5. Extension description
	"wikimediaapiportaloauth-desc": "Enables users of the Wikimedia API Portal to create and manage OAuth clients remotely",

Remotely? Feels an odd choice of words, when all the wikis are hosted "remotely". "on wikis that aren't Meta" would make more sense, but still sounds odd

6. Status help messages
	"wikimediaapiportaloauth-ui-client-status-proposed": "Approval pending",
	"wikimediaapiportaloauth-ui-client-status-proposed-help": "Before your client can be authorized by other users, it must be reviewed and approved by Wikimedia OAuth admins.",
	"wikimediaapiportaloauth-ui-client-status-rejected": "Rejected",
	"wikimediaapiportaloauth-ui-client-status-expired": "Expired",
	"wikimediaapiportaloauth-ui-client-status-disabled": "Disabled",
	"wikimediaapiportaloauth-ui-client-status-approved": "Approved",

Why does only proposed have a -help message? Seems worthwhile to document them all...

7. Term clarification
	"wikimediaapiportaloauth-ui-client-field-account-type-bot": "API token: Call the API with a personal token tied to your Wikimedia account.",

What is a Wikimedia account? What is a personal token? (Maybe give more information as to what this is actually used for)

[DONE] 8. Extension version
	"version": "",

This should be used or removed from extension.json

9. Permissions clarification
	"wikimediaapiportaloauth-ui-client-field-permissions-read": "Read-only",
	"wikimediaapiportaloauth-ui-client-field-permissions-read-write": "Read/write",

Writing to what? What counts as a write action?

10. JS fallback

Tracked in T256697

There's also no no-JS fallback... I know we've discussed it for other related work/extensions, and isn't a high priority... But potentially stuff TODO down the line.

Details

SubjectRepoBranchLines +/-
config: Remove version numbermediawiki/extensions/WikimediaApiPortalOAuthmaster+0 -1
Set default value for $wgWikimediaApiPortalOAuthMetaRestURLmediawiki/extensions/WikimediaApiPortalOAuthmaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Reedy created this task.Nov 8 2020, 5:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 8 2020, 5:31 PM
gerritbot added a comment.Nov 8 2020, 5:32 PM

Change 639946 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/WikimediaApiPortalOAuth@master] Set default value for $wgWikimediaApiPortalOAuthMetaRestURL

https://gerrit.wikimedia.org/r/639946

gerritbot added a project: Patch-For-Review.Nov 8 2020, 5:32 PM
Reedy updated the task description. (Show Details)Nov 8 2020, 5:37 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)Nov 8 2020, 5:47 PM
Reedy added a comment.Nov 8 2020, 5:52 PM

I also note the loading bar appearing and then not showing anything different feels odd...

Maybe some placeholder text should go there... "You currently have no clients registered" rather than just nothing which could look like things are broken or haven't been loaded properly etc

Screenshot 2020-11-08 at 17.51.12.png (464×2 px, 54 KB)

Reedy mentioned this in T254947: Security Review Request for WikimediaApiPortalOAuth Extension.Nov 8 2020, 6:46 PM
Reedy added a comment.EditedNov 8 2020, 7:33 PM
In T267493#6611394, @Reedy wrote:

I also note the loading bar appearing and then not showing anything different feels odd...

Maybe some placeholder text should go there... "You currently have no clients registered" rather than just nothing which could look like things are broken or haven't been loaded properly etc

Screenshot 2020-11-08 at 17.51.12.png (464×2 px, 54 KB)

Which Gilles has registered some concerns about in T254950: Performance review of WikimediaApiPortalOAuth extension too

apaskulin subscribed.Nov 9 2020, 4:27 PM

Thanks, @Reedy! This is great feedback

gerritbot added a comment.Nov 10 2020, 1:24 AM

Change 639946 merged by jenkins-bot:
[mediawiki/extensions/WikimediaApiPortalOAuth@master] Set default value for $wgWikimediaApiPortalOAuthMetaRestURL

https://gerrit.wikimedia.org/r/639946

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.18; 2020-11-17).Nov 10 2020, 2:00 AM
Maintenance_bot removed a project: Patch-For-Review.Nov 10 2020, 2:10 AM
apaskulin added a project: API-Portal.Jan 7 2021, 9:22 PM
apaskulin moved this task from Backlog to New features on the API-Portal board.Jan 22 2021, 1:47 AM
apaskulin updated the task description. (Show Details)Feb 2 2021, 4:59 PM
gerritbot added a comment.Feb 2 2021, 5:08 PM

Change 661146 had a related patch set uploaded (by Alex Paskulin; owner: Alex Paskulin):
[mediawiki/extensions/WikimediaApiPortalOAuth@master] config: Remove version number

https://gerrit.wikimedia.org/r/661146

gerritbot added a project: Patch-For-Review.Feb 2 2021, 5:08 PM
gerritbot added a comment.Feb 2 2021, 5:21 PM

Change 661146 merged by jenkins-bot:
[mediawiki/extensions/WikimediaApiPortalOAuth@master] config: Remove version number

https://gerrit.wikimedia.org/r/661146

ReleaseTaggerBot edited projects, added MW-1.36-notes (1.36.0-wmf.30; 2021-02-09); removed MW-1.36-notes (1.36.0-wmf.18; 2020-11-17).Feb 2 2021, 6:00 PM
apaskulin updated the task description. (Show Details)Feb 8 2021, 7:52 PM
apaskulin triaged this task as Medium priority.Feb 9 2021, 11:44 PM
Pppery removed a project: Patch-For-Review.Apr 1 2023, 4:08 PM
Pppery subscribed.

All patches were merged. Can this be closed as resolved?

apaskulin added a project: Epic.Apr 3 2023, 9:11 PM

Hi @Pppery, There's quite a few things from this task that still need to be fixed, so let's keep it open.

Pppery unsubscribed.Apr 3 2023, 10:47 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL