Steps to reproduce:
- Load a MediaWiki page that you can edit
- Use an API-based tool to edit some part of the page (or a page) - e.g. FileAnnotations
- Go to another tab on the same wiki, and log out.
- Optional: Log in to a different account
- Make another edit by the same API-based tool.
Expected outcome: Warning bells occur to let the user know that they're no longer editing as the user displayed at the top of the screen.
Actual outcome: Literally nothing happens to the user (except maybe "permissiondenied" if the wiki disallows editing by anons), but the edit is saved under the IP of the user, or the second username.
Initial proposed fix: mw.Api#postWithEditToken et al. should check meta=userinfo when they get a token, then check the user ID against the user ID in the page config (mw.config.get( 'wgUserId' )). The only problem I have is, how should we signal a mismatch? Adding it to the API response before it's passed back through the promise seems really nasty. A second parameter to mw.Api deferred resolutions might work. A pagewide event might work.
New proposed fix (see below discussion): API gets a new assertuser=Whomever parameter, in addition to assert=user, so you can signal the API to fail if the request is logged out, but also if the logged-in user is not User:Whomever.