Use assert=user instead of assertuser=<username>
Closed, DeclinedPublic
Actions

Assigned To

Authored By

	• Pablo-WMDE
	Sep 24 2019, 10:51 AM

Description

Per https://www.mediawiki.org/wiki/API:Login#Additional_notes we can verify that some user is logged in (without matching the user name) via assert=user in API requests. This should "prevent leaking IP addresses during editing" work for logged in user on setups that do not support central auth while still allowing for the user (name) to diverge.

in ForeignApiWritingRepository use assert=user instead of assertuser=<username>
conditionally send it depending on whether the user is logged in on the client

Event Timeline

• Pablo-WMDE created this task.Sep 24 2019, 10:51 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 24 2019, 10:51 AM

This is how I understood what we said earlier - please verify.
IMO it still has the flaw that it implicitly assumes that "logged in" expects "logged in" - it is the right thing to do for CentralAuth wikis but intransparent otherwise.

Lucas_Werkmeister_WMDE updated the task description. (Show Details)Sep 24 2019, 11:02 AM

Restricted Application added a project: Wikidata. · View Herald TranscriptNov 19 2019, 3:43 PM

Lydia_Pintscher moved this task from Needs work to Tech/Ready-ish on the Wikidata-Bridge board.Dec 5 2019, 1:13 PM

Closing based on discussion with @Lucas_Werkmeister_WMDE. The current state is fine it seems.

Lydia_Pintscher closed this task as Resolved.Dec 9 2019, 12:58 PM

Lydia_Pintscher claimed this task.

Lucas_Werkmeister_WMDE changed the task status from Resolved to Declined.Dec 9 2019, 1:06 PM

Use assert=user instead of assertuser=<username>Closed, DeclinedPublicActions

Description

Event Timeline

Use assert=user instead of assertuser=<username>
Closed, DeclinedPublic
Actions