It's a product requirement of IP Masking that the "temporary accounts" function as global accounts. To achieve that, every editing tool must redirect the user through loginwiki, so that we can set cookies there. (Because Wikimedia wikis use different top-level domains, it must be a full-page redirect, otherwise it won't work on browsers that don't accept third-party cookies.) The action=edit API needs to provide the location to redirect to in its response to make that possible.
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Restricted Task | |||||
Resolved | kostajh | T294511 2021 Security Team wikireplicas audit | |||
Declined | None | T284948 Raw IPs of logged-out users disclosed in wiki-replicas | |||
In Progress | Niharika | T324492 Temporary accounts - MVP | |||
Open | None | T326816 [Epic] Update features for temporary accounts | |||
Resolved | ppelberg | T326876 Update Editing Team-owned products that may be affected by temporary users | |||
Resolved | • matmarex | T332432 Update DiscussionTools for IP masking | |||
Resolved | • matmarex | T332433 Update page editing features in MobileFrontend for IP masking | |||
Resolved | • matmarex | T332435 Update VisualEditor for IP masking | |||
Resolved | Ryasmeen | T344468 QA Editing-related IP Masking changes | |||
Resolved | • matmarex | T338002 Let action=edit API instruct the client to redirect to another location after saving the edit |
Event Timeline
(There are other use cases for such a feature, e.g. FlaggedRevs would like to redirect some users to a different URL as well (T266951), but for now I'll just implement the minimal version that CentralAuth support for IP Masking requires.)
Change 926643 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):
[mediawiki/extensions/CentralAuth@master] Let 'TempUserCreatedRedirect' handler run in API requests
Change 926645 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):
[mediawiki/core@master] [WIP] ApiEditPage: Create temporary account on edit attempt if enabled
This is a cross-cutting concern that will be relevant for the Flow API, the LiquidThreads API, probably for VisualEditor and DiscussionTools. Also the move API, if some wiki allows page moving for anons (although that's probably unwise). Probably relevant for some non-Wikimedia extensions too.
Change 926643 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] Let 'TempUserCreatedRedirect' handler run in API requests
Change 930281 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):
[mediawiki/extensions/VisualEditor@master] Reload page or redirect when saving an edit creates a temp account
Change 930282 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):
[mediawiki/extensions/DiscussionTools@master] Reload page or redirect when saving an edit creates a temp account
Change 930284 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):
[mediawiki/extensions/MobileFrontend@master] Reload page or redirect when saving an edit creates a temp account
Change 926645 merged by jenkins-bot:
[mediawiki/core@master] ApiEditPage: Return URL to finish creating temp account if enabled
Change 930281 merged by jenkins-bot:
[mediawiki/extensions/VisualEditor@master] Reload page or redirect when saving an edit creates a temp account
Change 930282 merged by jenkins-bot:
[mediawiki/extensions/DiscussionTools@master] Reload page or redirect when saving an edit creates a temp account
Change 930284 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@master] Reload page or redirect when saving an edit creates a temp account
If I understand correctly, we're going to have a separate task to QA all changes related to IP Masking.