If I send a Structured Discussions comment and my session became invalid in the meantime, e. g. because I logged out in another browser window or tab, then the edit will be made under my IP address, with no warning whatsoever that it would be permanently recorded in the page history. The Flow extension should use assert=user with its API calls to avoid this. (See T124451 for a similar issue in Wikibase/Wikidata.)
Description
Details
Related Objects
- Mentioned In
- T246956: SD - create better error message for logged out users attempting to edit
T60696: Flow: It's too easy to accidentally edit when logged-out - Mentioned Here
- T246956: SD - create better error message for logged out users attempting to edit
T124451: Don't make edits if a logged in user gets logged out
Event Timeline
Example topic: https://www.mediawiki.org/wiki/Topic:Uvemb1qb2aqcig8k – in this case it’s okay that the IP got exposed, it’s just the WMDE office, but still
Change 575673 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/Flow@master] Assert the current user during all write operations
Change 575673 merged by jenkins-bot:
[mediawiki/extensions/Flow@master] Assert the current user during all write operations
Possible follow-ups:
- cover the template-based code paths (as per the code review comment)
- decent error handling on resolve/unresolve (c575674)
- make the error message easier to understand for the user (could replace the API error with something custom in getApiErrorMessage)
Change 576515 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/Flow@master] [WIP] Assert that the user has not been logged out in flow-api.js
The objective of the fix "Assert that the user has not been logged out in flow-api.js" is successfully implemented - a logged out user (a user who logs out from another tab/window) will have a warning before publishing edits on Structured discussions.
However, the warning message is too technical and doesn't provide users with clear instructions of what to do (not like VE/wikitext editing). Based on the testing and on the @Tgr comment below, I filed T246956: SD - create better error message for logged out users attempting to edit .
I filed a phab task