Page MenuHomePhabricator
Create Task
Maniphest T177717

When the user logs out in a different browser, Watchlist and RC page with New Filters should behave appropriately
Closed, ResolvedPublic
Actions

Description

The problem on Watchlist

Do the following steps on Watchlist with the New Filters active:

  • Log in.
  • Click on Live updates.
  • Wait 10 seconds.
  • Open a different broswer
  • Open some local wiki page and log in
  • Wait 10 seconds.
  • Log out.
  • Go back to the first browser

Expected result: Watchlist logs out, Live Update stops updating, and the system lets the user know what has happened.
Actual result: Live Update keeps going (at least the animation does); the status appears to be logged in, since the "Log out" link is displayed at upper right; but the system offers this confusing message: "No changes during the given period match these criteria."

The problem is actually broader than just Live Update. If you log out in one browser then go to another one showing your Watchlist, as soon as you try to do something on that Watchlist, you should be logged out and no Watchlist should be displayed (because logged out users have no Watchlist). That's how the old Watchlist worked. But the new filters don't log you out, even if you do a search (though you get no results). You will be logged out if you click on an article link...

The solution on Watchlist

  • As soon as the user tries to do any action on Watchlist, log the user out and bring him to this page (which displays the message "Please log in to view or edit items on your Watchlist.")
    • Every time Live Update tries to update, that should be considered an "action" for the above purposes.

The problem on Recent Changes

Do the following steps on Recent changes with the New Filters active:

  • Log in.
  • Click on Live updates.
  • Wait 10 seconds.
  • Open a different browser
  • Open some local wiki page and log in
  • Wait 10 seconds.
  • Log out.
  • Go back to the first browser

Expected result: The system logs out and the page refreshes with the logged-out version of Recent Changes.
Actual result: Recent Changes does NOT log out, and Live Update keeps updating. Filters that are not available in a logged out state (e.g., Watchlist filters) are still available in the menu, but they DON'T DO ANYTHING (meaning the user thinks she's getting a search she's actually not).

The solution on Recent changes

  • As soon as the user tries to do any action on Recent Changes, log her out and refresh the page with the logged out version of Recent Changes showing the default filter set (i.e., all previous filter settings are lost). If Live Update was active, it stops.
    • Every time Live Update tries to update, that should be considered an "action" for the above purposes.

Details

Related Gerrit Patches:
mediawiki/core : masterFix how "Live updates" behave when user logs out

Related Objects
Search...

Event Timeline

IKhitron created this task.Oct 8 2017, 1:54 PM
Restricted Application added a project: Collaboration-Team-Triage. · View Herald TranscriptOct 8 2017, 1:54 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Etonkovidova added a subscriber: Etonkovidova.Oct 11 2017, 6:57 PM

@IKhitron Did the following steps are the steps that you did?

  1. I am logged in (en.wikipedia.org) on desktop and on a mobile phone
  2. On both devices I am on RC page. On desktop RC page is with enabled 'Live updates'; on the mobile there is not 'Live updates', so I do nothing.
  3. I am logging out from mobile; my desktop RC with 'Live updates' keeps updating the page as usual. I am changing filters and other parameters on the page - the page changes accordingly and I am still being logged in.
  4. When I navigate to a different page on the desktop, I will be logged out and I will see RC page as an anon user. As anon user, I do not have 'Live updates', but otherwise, all is working as expected.
IKhitron added a comment.EditedOct 11 2017, 7:01 PM
In T177717#3676860, @Etonkovidova wrote:

@IKhitron Did the following steps are the steps that you did?

  1. I am logged on on the same desktop computer, Firefox and Chrome.
  2. It's Liveupdate on on FF and some page on Chrome.
  3. FF gives me new updates.
  4. I logout from Chrome.
  5. After 5 seconds I see this message on FF. There are no updates any more.

Thank you.

Etonkovidova added a comment.Oct 12 2017, 6:35 PM

Thanks, @IKhitron - we will triage the issue.

Petar.petkovic added a subscriber: Petar.petkovic.Nov 28 2017, 5:20 PM
In T177717#3676887, @IKhitron wrote:
In T177717#3676860, @Etonkovidova wrote:

@IKhitron Did the following steps are the steps that you did?

  1. I am logged on on the same desktop computer, Firefox and Chrome.
  2. It's Liveupdate on on FF and some page on Chrome.
  3. FF gives me new updates.
  4. I logout from Chrome.
  5. After 5 seconds I see this message on FF. There are no updates any more.

Thanl you.

I have tried exact steps as described, but Live updates just keep arriving. Message "No changes during the given period match these criteria." is NOT showing.
For me, it is behaving like @Etonkovidova described above (in T177717#3676860).

  • My "Live updates" keeps updating the page as usual. I am changing filters and other parameters on the page - the page changes accordingly and I am still being logged in.
  • When I navigate to a different page on the desktop, I will be logged out and I will see RC page as an anon user. As anon user, I do not have 'Live updates', but otherwise, all is working as expected.
I was using Chrome 62 and Firefox 58 for testing.
IKhitron added a comment.Nov 28 2017, 5:28 PM

I just tried again and get exactly the same message.

jmatazzoni added a subscriber: jmatazzoni.Nov 28 2017, 5:59 PM

I can't reproduce this either. When I log out in the other window, it just keeps Live Updating until i click on something, at which point it logs me out. @IKhitron, can you perhaps try this again and record precisely the steps you are taking, making sure you don't leave any out?

IKhitron added a comment.Nov 28 2017, 6:09 PM
In T177717#3793468, @jmatazzoni wrote:

I can't reproduce this either. When I log out in the other window, it just keeps Live Updating until i click on something, at which point it logs me out. @IKhitron, can you perhaps try this again and record precisely the steps you are taking, making sure you don't leave any out?

  1. I'm on last FF.
  2. Logged in.
  3. Go to Watchlist with rcfilters tab.
  4. Click on Live updates.
  5. Wait 10 seconds.
  6. Open Chrome.
  7. Open some local wiki page.
  8. Login.
  9. Wait 10 seconds.
  10. Logout.
  11. Go back to FF.
  12. Stare the Watchlist.
  13. After 5 seconds the message appears.
jmatazzoni added a comment.Nov 28 2017, 7:36 PM

OK, I see it now. I was using Recent Changes, which, unlike Watchlist, keeps on updating. On Watchlist you indeed do get logged out. I'm not sure why. Yes. The message should say:

You have been logged out. Log in again to continue.

jmatazzoni added a comment.Nov 28 2017, 7:38 PM

And, BTW, it doesn't matter if you use different browsers. I used Chrome for both sessions and got the same result.

Petar.petkovic added a comment.Nov 28 2017, 7:43 PM
In T177717#3794112, @jmatazzoni wrote:

OK, I see it now. I was using Recent Changes, which, unlike Watchlist, keeps on updating. On Watchlist you indeed do get logged out. I'm not sure why. Yes. The message should say:
You have been logged out. Log in again to continue.

I could not see the problem for the same reasons. Was using RC, instead of WL page.
Thank you @IKhitron for reporting the issue and for detailed description on how to reproduce.

IKhitron added a comment.Nov 28 2017, 7:43 PM

I know why it logs out, @jmatazzoni. It's because logging out on some device logs you out automatically from all your current sessions. The problem is the message text.

IKhitron added a comment.Nov 28 2017, 7:50 PM

You are welcome. :-)

Trizek-WMF added a comment.Nov 29 2017, 8:43 AM

Naive question: isn't it a normal security feature to be logged out everywhere if you log-out from one place?

Etonkovidova added a comment.Nov 29 2017, 7:11 PM

@Trizek-WMF It's common to kill all sessions started by one user as soon as user logs out on one of the devices or browsers/tabs.

What's most interesting in this bug, it's RC page behavior. RC page with On Watchlist (or New Watchlist changes, or Not on Watchlist) and active Live update. After a user logs out on a different tab/browser, theRC page UI will not have any indication that log-out event has happened. The result set will be silently default to anon default filters. I am updating the ticket description and elevate the priority.

jmatazzoni added a comment.Nov 29 2017, 7:24 PM

! In T177717#3797644, @Etonkovidova wrote:

....After a user logs out on a different tab/browser, theRC page UI will not have any indication that log-out event has happened.

Thanks Elena. That sounds like a separate issue. Will you please write a ticket for that, and we can discuss the appropriate remedy there? Thanks.

Etonkovidova updated the task description. (Show Details)Nov 29 2017, 7:26 PM
Etonkovidova added a comment.Nov 29 2017, 7:30 PM

@jmatazzoni

That sounds like a separate issue.

  • The underlying cause for the issue is the same for both RC page and Watchlist. User session handling needs to be improved.

Let's keep it as one ticket for now. Per dev feedback, they can be separated later.

PS. I've updated the ticket description.

jmatazzoni renamed this task from Liveupdate shows wrong message on logout to When the user logs out in a different browser, Watchlist and RC page with New Filters should behave appropriately.Dec 6 2017, 12:47 AM
jmatazzoni updated the task description. (Show Details)
jmatazzoni added subscribers: Catrope, SBisson.
jmatazzoni moved this task from Untriaged to Ready for Pickup on the Collaboration-Team-Triage (Collab-Team-This-Quarter) board.Dec 6 2017, 12:50 AM

That was actually kind of knotty. It's not really about Live Update—it's about any action that the user takes after the log out in a different browswer. But we do have to also make it so that any Live Update update is considered an "action." @Catrope and @Etonkovidova, you might want to have a look and make sure the solutions I've recommended make sense to you. They are based on what the system did before the New Filters.

gerritbot added a subscriber: gerritbot.Dec 13 2017, 9:23 PM

Change 398126 had a related patch set uploaded (by Petar.petkovic; owner: Petar.petkovic):
[mediawiki/core@master] Fix how "Live updates" behave when user logs out

https://gerrit.wikimedia.org/r/398126

gerritbot added a comment.Dec 18 2017, 4:06 PM

Change 398126 merged by jenkins-bot:
[mediawiki/core@master] Fix how "Live updates" behave when user logs out

https://gerrit.wikimedia.org/r/398126

Etonkovidova added a comment.Dec 19 2017, 12:02 AM

Given that betalabs handles user sessions rather erratically (kicking out of user sessions and re-login), as far as I could check, the specs have been implemented.

A user with enabled 'Live updates' on Watchlist will be redirected to the Login page after the next cycle of fetching the update.
A user with enabled 'Live updates' on Recent Changes will be redirected to the non-login RC page (no Saved filters, no Watchlist based filters).

Without enabled 'Live updates' - the behavior is the same as described above when a user will perform any action on RC or Watchlist pages.

Note: I will check throughly upon deployment to testwiki.

QA Recommendation: Resolve

jmatazzoni closed this task as Resolved.Dec 19 2017, 12:22 AM
Etonkovidova added a comment.Jan 2 2018, 11:06 PM

Checked in wmf.15 (testwiki) - works as expected.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL