Page MenuHomePhabricator

PHP fatal error about undefined method when I view a certain page
Closed, ResolvedPublic

Description

http://meta.wikimedia.beta.wmflabs.org/wiki/Special:OAuthManageConsumers/proposed/1a31f6085491372db93394ed6cbff4c4
Call to undefined method Message::toJson()

frontend/specialpages/SpecialMWOAuthManageConsumers.php:                                        'default' => $cmr->get( 'restrictions' )->toJson( true ),

But MWOAuthDAOAccessControl::get can return a Message instead of MWRestrictions (?) in case of access failure
See details in T125938

Event Timeline

Krenair created this task.Feb 5 2016, 3:42 AM
Krenair raised the priority of this task from to Needs Triage.
Krenair updated the task description. (Show Details)
Krenair added a subscriber: Krenair.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptFeb 5 2016, 3:42 AM
Halfak set Security to None.Feb 6 2016, 2:18 AM
Halfak added a subscriber: Halfak.
Tgr added subscribers: bd808, Tgr.Feb 6 2016, 4:12 AM

Full error message is Fatal error: Call to undefined method Message::toJson() in /srv/mediawiki/php-1.27.0-wmf.12/extensions/OAuth/frontend/specialpages/SpecialMWOAuthManageConsumers.php on line 337 (and there is no stack trace - @bd808 did something in fatal logging break?)
This is apparently by design - if the user does not have permission, the DAO object returns a message. The idea would be that the user just sees a "this field is private" message without the higher-level code having to worry about access control, but the DAO framework also allows non-string return types via MWOAuthDAO::decodeRow and the two features don't go well together.

Did some grepping and SpecialMWOAuthManageConsumers.php#337 seems to be the only place that can trigger errors currently. Only grants and restrictions are decoded into an object, grants are always visible to a user that passed the special page's own permission check, and this is the only place where restrictions are queried from a consumer wrapped in MWOAuthDAOAccessControl, so it's easy to add a check there. That said, this is a problem with the design and it will be easy to introduce similar bugs in the future.

Change 268859 had a related patch set uploaded (by Gergő Tisza):
Handle error message in SpecialMWOAuthManageConsumers

https://gerrit.wikimedia.org/r/268859

Change 268860 had a related patch set uploaded (by Gergő Tisza):
Fix rights in oauth role

https://gerrit.wikimedia.org/r/268860

Change 268859 merged by jenkins-bot:
Handle error message in SpecialMWOAuthManageConsumers

https://gerrit.wikimedia.org/r/268859

Krenair closed this task as Resolved.Feb 6 2016, 5:00 AM
Krenair assigned this task to Tgr.

Change 268860 merged by jenkins-bot:
Fix rights in oauth role

https://gerrit.wikimedia.org/r/268860

Change 269333 had a related patch set uploaded (by Gergő Tisza):
Handle error message in SpecialMWOAuthManageConsumers

https://gerrit.wikimedia.org/r/269333

Change 269333 merged by jenkins-bot:
Handle error message in SpecialMWOAuthManageConsumers

https://gerrit.wikimedia.org/r/269333

Tgr added a comment.Feb 9 2016, 1:29 AM

Backported to production.