<unicornisaurous>: [...] It semes to me that the userrights token is not looked at closely by the API, and that the API only looks at the cookie. If I obtain a user rights token while logged in as one user, and then log out, my token now shows as a “bad token”, but after logging in again as a different user, the same token works again, but now the API thinks I’m the newly logged in user. Is this behavior intentional, or is something going wrong?
<anomie>: Something is possibly strange with that, but it's not in the API and not specific to the userrights token. What's going on is that the new login isn't establishing a new "secret" in the session, it's just keeping the existing secret so the old tokens are remaining valid. The best thing to do would probably be to file a security bug about it in Phabricator (see https://www.mediawiki.org/wiki/Reporting_security_bugs)
Steps to reproduce:
- Give the 'sysop' group the ability to add/remove the bot group from other users:
$wgAddGroups['sysop'] = 'bot'; $wgRemoveGroups['sysop'] = 'bot';
- Login as a user which is only in the 'sysop' group
- Get a userrights token from api.php?action=query&meta=tokens&type=userrights&format=json (Notice that I did not specify any specific users as described here, but that may be outdated documentation)
- Make a POST request (with token) to api.php?action=userrights&user=someUser&add=bot&format=json (Succeeds as expected)
- Logout and try to make the same request with the same token (Fails with Bad token error)
- Log in as a different 'sysop' user and try the same request, except changing 'add' to 'remove' to reverse the changes made in #4 (Succeeds)
Although I only obtained one userrights token for the whole test, in the log both of my sysop users were logged as making userrights changes during the respective times they were logged in.