Page MenuHomePhabricator
Create Task
Maniphest T125939

PHP fatal error about undefined method when I view a certain page
Closed, ResolvedPublic
Actions

Description

http://meta.wikimedia.beta.wmflabs.org/wiki/Special:OAuthManageConsumers/proposed/1a31f6085491372db93394ed6cbff4c4
Call to undefined method Message::toJson()

frontend/specialpages/SpecialMWOAuthManageConsumers.php:                                        'default' => $cmr->get( 'restrictions' )->toJson( true ),

But MWOAuthDAOAccessControl::get can return a Message instead of MWRestrictions (?) in case of access failure
See details in T125938

Details

SubjectRepoBranchLines +/-
Handle error message in SpecialMWOAuthManageConsumersmediawiki/extensions/OAuthwmf/1.27.0-wmf.12+3 -1
Handle error message in SpecialMWOAuthManageConsumersmediawiki/extensions/OAuthmaster+3 -1
Fix rights in oauth rolemediawiki/vagrantmaster+0 -1
Customize query in gerrit

Related Objects

Event Timeline

Krenair created this task.Feb 5 2016, 3:42 AM
Krenair raised the priority of this task from to Needs Triage.
Krenair updated the task description. (Show Details)
Krenair added a project: MediaWiki-extensions-OAuth.
Krenair subscribed.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptFeb 5 2016, 3:42 AM
Halfak set Security to None.Feb 6 2016, 2:18 AM
Halfak subscribed.
Tgr mentioned this in T125938: PHP fatal errors causing Varnish to return 503 - "Junk after gzip data".Feb 6 2016, 3:51 AM
Tgr added subscribers: bd808, Tgr.Feb 6 2016, 4:12 AM
In T125938#2005005, @Tgr wrote:

Full error message is Fatal error: Call to undefined method Message::toJson() in /srv/mediawiki/php-1.27.0-wmf.12/extensions/OAuth/frontend/specialpages/SpecialMWOAuthManageConsumers.php on line 337 (and there is no stack trace - @bd808 did something in fatal logging break?)

This is apparently by design - if the user does not have permission, the DAO object returns a message. The idea would be that the user just sees a "this field is private" message without the higher-level code having to worry about access control, but the DAO framework also allows non-string return types via MWOAuthDAO::decodeRow and the two features don't go well together.

Did some grepping and SpecialMWOAuthManageConsumers.php#337 seems to be the only place that can trigger errors currently. Only grants and restrictions are decoded into an object, grants are always visible to a user that passed the special page's own permission check, and this is the only place where restrictions are queried from a consumer wrapped in MWOAuthDAOAccessControl, so it's easy to add a check there. That said, this is a problem with the design and it will be easy to introduce similar bugs in the future.

gerritbot subscribed.Feb 6 2016, 4:37 AM

Change 268859 had a related patch set uploaded (by Gergő Tisza):
Handle error message in SpecialMWOAuthManageConsumers

https://gerrit.wikimedia.org/r/268859

gerritbot added a project: Patch-For-Review.Feb 6 2016, 4:37 AM
gerritbot added a comment.Feb 6 2016, 4:39 AM

Change 268860 had a related patch set uploaded (by Gergő Tisza):
Fix rights in oauth role

https://gerrit.wikimedia.org/r/268860

gerritbot added a comment.Feb 6 2016, 4:51 AM

Change 268859 merged by jenkins-bot:
Handle error message in SpecialMWOAuthManageConsumers

https://gerrit.wikimedia.org/r/268859

Krenair closed this task as Resolved.Feb 6 2016, 5:00 AM
Krenair assigned this task to Tgr.
gerritbot added a comment.Feb 6 2016, 6:48 PM

Change 268860 merged by jenkins-bot:
Fix rights in oauth role

https://gerrit.wikimedia.org/r/268860

ReleaseTaggerBot added a project: MW-1.27-release (WMF-deploy-2016-02-09_(1.27.0-wmf.13)).Feb 8 2016, 8:02 PM
gerritbot added a comment.Feb 8 2016, 11:49 PM

Change 269333 had a related patch set uploaded (by Gergő Tisza):
Handle error message in SpecialMWOAuthManageConsumers

https://gerrit.wikimedia.org/r/269333

gerritbot added a comment.Feb 9 2016, 1:12 AM

Change 269333 merged by jenkins-bot:
Handle error message in SpecialMWOAuthManageConsumers

https://gerrit.wikimedia.org/r/269333

Tgr added a comment.Feb 9 2016, 1:29 AM

Backported to production.

ReleaseTaggerBot added a project: MW-1.27-release (WMF-deploy-2016-02-02_(1.27.0-wmf.12)).Feb 9 2016, 2:00 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL