Page MenuHomePhabricator

authonlyprivate OAuth grant should not mention real name when the wiki does not allow them
Open, Needs TriagePublic


The description of the authonlyprivate grant says Authentication only with access to real name and email address. When real names are disabled (via $wgHiddenPrefs) the grant description should not mention them.

Event Timeline

Tgr created this task.Nov 24 2016, 4:21 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 24 2016, 4:21 AM
Tgr added a comment.Dec 23 2016, 1:23 AM

A similar text is shown in the authorization dialog as well.

Tgr moved this task from Backlog to UI/UX on the MediaWiki-extensions-OAuth board.Mar 7 2017, 3:22 AM
Cirdan added a subscriber: Cirdan.May 7 2019, 8:24 PM
Cirdan added a comment.May 7 2019, 8:26 PM

This wording has been brought up as a concern by a user regarding the InternetArchiveBot's Management Interface. At least on the German-language Wikipedia, unless I'm mistaken there is no way to set a real name in the preferences, hence no real name can be revealed. Nevertheless, this raises questions especially for users who do not understand what kind of mechanism OAuth is.

@Tgr Could you quickly outline how this could be fixed? (E.g. where to place the check and how to check) Thanks!

Tgr updated the task description. (Show Details)May 15 2019, 10:33 AM
Tgr added a comment.May 15 2019, 10:47 AM

The grant text is generated (among other things) by MWGrants::grantName() and there is no easy way to modify that, so probably the least painful approach is to use a hook such as MessageCache::get to show a different message when real names are disabled. (The message used is grant-mwoauth-authonlyprivate.)

We have commissioned a Wikimedia login plugin for Discourse (via OAuth) T215052: Add MediaWiki login support to Discourse that is almost ready to be deployed on Wikimedia Space. The plugin does not attempt to read real name, but the authorization pop-up mentions real name. In addition to it being misleading, we have reason to believe this could be triggering for some users (many probably won't recall that they never provided a real name to Wikimedia).

Can this text be tweaked?

Change 536788 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/OAuth@master] Avoid mentioning real names on wikis which do not use it

Change 536788 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Avoid mentioning real names on wikis which do not use it

Thanks @Lucas_Werkmeister_WMDE for the merge! With that the user-facing text is fixed.

I wrote to translators-l to give a heads-up about the new messages.

What is left (for another time) is fixing the grant name in the consumer registration form for developers, and maybe storing whether the grant included real names (see gerrit comments for details - that seems like a lot of work though and it's probably not important enough to merit it).