Page MenuHomePhabricator

Structured Discussions exposes user’s IP address if logged out in other browser window/tab
Closed, ResolvedPublic

Description

If I send a Structured Discussions comment and my session became invalid in the meantime, e. g. because I logged out in another browser window or tab, then the edit will be made under my IP address, with no warning whatsoever that it would be permanently recorded in the page history. The Flow extension should use assert=user with its API calls to avoid this. (See T124451 for a similar issue in Wikibase/Wikidata.)

Event Timeline

Restricted Application added a project: Growth-Team. · View Herald TranscriptMar 6 2019, 2:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Example topic: https://www.mediawiki.org/wiki/Topic:Uvemb1qb2aqcig8k – in this case it’s okay that the IP got exposed, it’s just the WMDE office, but still

Tgr claimed this task.Feb 22 2020, 5:39 AM

Change 575673 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/Flow@master] Assert the current user during all write operations

https://gerrit.wikimedia.org/r/575673

Change 575673 merged by jenkins-bot:
[mediawiki/extensions/Flow@master] Assert the current user during all write operations

https://gerrit.wikimedia.org/r/575673

Tgr added a comment.Mar 4 2020, 3:23 AM

Possible follow-ups:

  • cover the template-based code paths (as per the code review comment)
  • decent error handling on resolve/unresolve (c575674)
  • make the error message easier to understand for the user (could replace the API error with something custom in getApiErrorMessage)

Change 576515 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/Flow@master] [WIP] Assert that the user has not been logged out in flow-api.js

https://gerrit.wikimedia.org/r/576515

Etonkovidova closed this task as Resolved.Mar 4 2020, 11:27 PM
Etonkovidova added a subscriber: Etonkovidova.

The objective of the fix "Assert that the user has not been logged out in flow-api.js" is successfully implemented - a logged out user (a user who logs out from another tab/window) will have a warning before publishing edits on Structured discussions.

However, the warning message is too technical and doesn't provide users with clear instructions of what to do (not like VE/wikitext editing). Based on the testing and on the @Tgr comment below, I filed T246956: SD - create better error message for logged out users attempting to edit .

Possible follow-ups:

  • cover the template-based code paths (as per the code review comment)
  • decent error handling on resolve/unresolve (c575674)
  • make the error message easier to understand for the user (could replace the API error with something custom in getApiErrorMessage)

I filed a phab task