Page MenuHomePhabricator

Flow Nuke integration is broken for non-existent users
Closed, ResolvedPublic

Description

For non-existent users ("This username was never registered"), it will instead show all anonymous Flow creations, risking that someone will accidentally delete constructive posts by anonymous users.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 10 2017, 5:44 PM
Mattflaschen-WMF triaged this task as Unbreak Now! priority.
Mattflaschen-WMF updated the task description. (Show Details)
dpatrick added a subscriber: dpatrick.EditedApr 10 2017, 10:45 PM

This has been deployed:

22:45 dapatrick: Deployed patch for T162621 to wmf18 and wmf19

Restricted Application added a project: Collaboration-Team-Triage. · View Herald TranscriptApr 13 2017, 5:40 PM

Now that the patch is deployed in production, should it be merged into master as well? It's not clear to me what the policy is for security fixes in extensions that are not part of the release bundle.

Now that the patch is deployed in production, should it be merged into master as well? It's not clear to me what the policy is for security fixes in extensions that are not part of the release bundle.

Once it's deployed, it can go to Gerrit, per https://phabricator.wikimedia.org/T146425#2742263 .

This is now merged to master and I've put up release branch backports:

master - https://gerrit.wikimedia.org/r/#/c/348407/ (merged)
1.27 - https://gerrit.wikimedia.org/r/#/c/348408/1
1.28 - https://gerrit.wikimedia.org/r/#/c/348409/1

Unfortunately, I ran into https://github.com/composer/composer/pull/5660, so the release branch commits are V-1. Nevertheless, it's public now, so I had to announce it to let people know to update. So I've sent it out to wikitech-l@lists.wikimedia.org and mediawiki-l@lists.wikimedia.org, but we now need to get those merged.

Legoktm said I should just cherry-pick a patch that excludes vendor, so I've done so:
1.27 - https://gerrit.wikimedia.org/r/348410
1.28 - https://gerrit.wikimedia.org/r/348411

Once the last two are merged, we should able to merge the security patch backports cleanly.

This is now merged to all supported branches, and announced. Please make this task public.

Catrope changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 17 2017, 6:42 PM
Restricted Application added subscribers: Jay8g, TerraCodes. · View Herald TranscriptApr 17 2017, 6:42 PM
Restricted Application removed a subscriber: TerraCodes. · View Herald TranscriptApr 17 2017, 8:41 PM

Checked in enwiki betalabs - when non-existing username is entered on Special:Nuke, the warning is displayed: "No new pages by [non-existing username] in recent changes." And no list of new pages is displayed.

QA Recommendation: Resolve

dpatrick closed this task as Resolved.Apr 25 2017, 4:10 PM