Page MenuHomePhabricator
Create Task
Maniphest T313265

App gives no indication that user script pages are protected when reading them
Open, LowPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Navigate to any user script page that is not your own in the Android App
  • Look at the various editing icons

What happens?:
The app displays the normal editing icons (pencils) without any indication that the page is protected

What should have happened instead?:
The app should display the pencil with closed padlock icon, which is used on all other protected pages that the user cannot edit

Other information (browser name/version, screenshots, etc.):

  • App version: 2.7.50413-r-2022-07-14

Screenshot_20220718-205728_Wikipedia.jpg (2×1 px, 270 KB)

Related Objects

Event Timeline

Asartea created this task.Jul 18 2022, 7:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 18 2022, 7:30 PM
LGoto triaged this task as Low priority.Jul 21 2022, 4:12 PM
LGoto added a project: Content-Transform-Team.
LGoto moved this task from Needs Triage to Tracking on the Wikipedia-Android-App-Backlog board.
JTannerWMF subscribed.Jul 21 2022, 4:12 PM

Thank you for filing this task, we are going to escalate it to the team that would be able to fix it

JMcLeod_WMF edited projects, added Page Content Service; removed Content-Transform-Team.Jul 28 2022, 2:11 PM
Restricted Application added a project: Product-Infrastructure-Team-Backlog-Deprecated. · View Herald TranscriptJul 28 2022, 2:11 PM
JMcLeod_WMF removed a project: Product-Infrastructure-Team-Backlog-Deprecated.Sep 29 2022, 2:13 PM
vadim-kovalenko claimed this task.Feb 9 2023, 8:16 AM
vadim-kovalenko added a project: Content-Transform-Team-WIP.
vadim-kovalenko moved this task from Backlog to In Progress on the Content-Transform-Team-WIP board.
vadim-kovalenko added a comment.Feb 9 2023, 9:12 AM

@Asartea , could you provide a link to the protected user script page? This page, for example, is not protected and can be editable by any user both from the mobile app and a desktop.

Seddon moved this task from Tracking to Android Release - FY2023-24 on the Wikipedia-Android-App-Backlog board.Feb 11 2023, 12:51 AM
Seddon edited projects, added Wikipedia-Android-App-Backlog (Android Release - FY2023-24); removed Wikipedia-Android-App-Backlog.
JTannerWMF moved this task from Epics in Progress to Needs Eng. Manager on the Wikipedia-Android-App-Backlog (Android Release - FY2023-24) board.Feb 13 2023, 3:09 PM
JMcLeod_WMF moved this task from In Progress to Blocked on the Content-Transform-Team-WIP board.Feb 13 2023, 4:47 PM
cscott subscribed.Feb 27 2023, 4:24 PM

https://en.wikipedia.org/wiki/User:Cscott/TogetherJS.js is a user script on my page, it should be protected? And I think that https://en.wikipedia.org/wiki/User:GhostInTheMachine/SDsummary.js is the link to the protected page from @vadim-kovalenko's example.

vadim-kovalenko added a comment.Feb 28 2023, 9:36 AM

@cscott , I've tried to open the page with .js at the end of URL on the local mobileapss instance (http://localhost:8888/en.wikipedia.org/v1/page/mobile-html/User%3ACscott%2FTogetherJS.js), but got Dummy output. Parsoid does not support content model javascript. See T324711. error message. Any chances to get this page locally?

cscott added a comment.Feb 28 2023, 3:27 PM

The content on the app doesn't seem to be generated by the mobile html service, as the mobile html service shows the output that @vadim-kovalenko shows above and returns 400 for these pages (T324711). So this is probably not a mobile html service bug but instead a bug in the app itself, specifically whatever fallback path the app is using to generate content for these pages after the mobile html service returns 400. (I note that it is rendering the javascript "as if it were wikitext" as well, so there are bigger problems here than "just" the presence of the edit button.)

cscott added a comment.Feb 28 2023, 3:48 PM

@vadim-kovalenko points out that https://en.wikipedia.org/api/rest_v1/page/mobile-html/User%3Acscott%2FTogetherJS.js "works" in production -- which apparently is just because production is still pointed to RESTBase while the development instance is pointed to the core APIs which are expected to replace RESTBase. So once that switchover is complete, apps will start displaying the "dummy content" message instead of any output, which is a bug in itself likely. Generally apps should be using the same mechanism for "non wikitext content" pages as it does for (eg) Special pages. The question is how apps should know that a given Title corresponds to a non-wikitext content type.

ssastry mentioned this in T330772: Mobile-html switchover to REST API (from RESTBase) should account for http 400 response for non-wikitext content models.Feb 28 2023, 4:28 PM
ssastry subscribed.

Filed T330772: Mobile-html switchover to REST API (from RESTBase) should account for http 400 response for non-wikitext content models.

MSantos added subscribers: Dbrant, Tsevener, Seddon.Feb 28 2023, 6:42 PM
MSantos added a project: Essential-Work.Jun 19 2023, 11:28 AM
MSantos claimed this task.Jun 26 2023, 3:28 PM
MSantos added a subscriber: vadim-kovalenko.
cscott added a comment.Feb 20 2024, 3:34 PM

This might get fixed implicitly by RESTBase deprecation.

MSantos removed MSantos as the assignee of this task.Mar 26 2024, 11:06 AM
MSantos edited projects, added RESTBase Sunsetting; removed Content-Transform-Team-WIP.
MSantos subscribed.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL