Move common user query parameter validation, edit token requiringness/checking to ApiBase/Similar
Closed, ResolvedPublic

Description

Seemingly (at least!) 3 different ways of validating/whinging at the user for the user parameters.

Commonise and reuse.

They can still apply more restrictive validation (!anon etc) themselves

As per IRC convo beneath:

[23:29:26] <|reedy|> http://en.wikipedia.org/w/api.php?action=query&list=recentchanges&rcuser=User:Reedy
[23:29:28] <|reedy|> http://en.wikipedia.org/w/api.php?action=query&list=logevents&leuser=User:Reedy
[23:29:51] <|reedy|> RoanKattouw: seemingly 3 different (at least) sets of behaviour
[23:30:24] <|reedy|> http://en.wikipedia.org/w/api.php?action=query&format=xml&list=usercontribs&ucuser=User:Reedy
[23:30:30] <RoanKattouw> Yeah I assumed that'd be it
[23:30:32] <RoanKattouw> Interesting
[23:30:36] <|reedy|> heh
[23:30:44] <|reedy|> I was looking at bug 21966 to see "how its done elsewhere"
[23:30:51] <RoanKattouw> uc reads your mind, le throws an error, rc literally looks for User:User:Reedy
[23:30:57] <|reedy|> Yup
[23:31:00] <|reedy|> Tbh
[23:31:17] <|reedy|> Shouldn't the validation for this bit be done in a parent class and kept the same for all?
[23:31:59] <RoanKattouw> |reedy|: Yes, it should happen in ApiBase
[23:32:10] <RoanKattouw> Well.... not necessarily
[23:32:24] <|reedy|> Well, somewhere common.. As they should all experience the same validation
[23:32:25] <RoanKattouw> For instance, usercontribs allows ucuser=1.2.3.4 , but logevents doesn't
[23:32:40] <RoanKattouw> Because anonymous users cannot have log entries
[23:32:42] <|reedy|> I mean, at least, the method, can still do its own, and call the common
[23:32:43] <|reedy|> Sure
[23:32:49] <RoanKattouw> But anons can have contribs and RC
[23:33:21] <RoanKattouw> |reedy|: Yeah, so the basic ApiBase validation should just be the uc&rc stuff, and then le can add it's no-anons strictness itself
[23:33:29] <|reedy|> Yup
[23:38:13] <RoanKattouw> |reedy|: Yeah well since I'm not a volunteer anymore (it's 2010 now, I get paid again, yay) I probably won't be getting to it any time soon
[23:33:37] <RoanKattouw> Although I'm not sure anyone's actually tested with 6, only aware of 5.3
[23:34:19] <RoanKattouw> Of course usercontribs and RC still validate differently, that should be made consistent
[23:34:24] <|reedy|> RoanKattouw: i suppose thats possibly the way to do it... Shall i log it as an enhancement and put it as blocking 21966?
[23:34:37] <|reedy|> cause "fixing" that will fix 21966 in one way or another
[23:34:43] <RoanKattouw> That's true
[23:35:03] <RoanKattouw> Yeah go ahead and do that, unless you feel like fixing this in the short term
[23:35:29] <|reedy|> RoanKattouw: i may get to it, not too difficult, just needs some time i suppose :)


Version: unspecified
Severity: enhancement

Details

Reference
bz21991
bzimport raised the priority of this task from to Normal.
bzimport set Reference to bz21991.
bzimport added a subscriber: Unknown Object (MLST).
Reedy created this task.Jan 1 2010, 11:41 PM
Reedy added a comment.Jan 3 2010, 1:52 PM

Oh Roan, I should've really asked.. Which way do we want to move to?

(In reply to comment #1)

Oh Roan, I should've really asked.. Which way do we want to move to?

Ideally, the 'user' parameter type would trigger validation code in ApiBase that is relatively relaxed and validates rc-style (allow IPs, throw error on invalid stuff, don't mess with namespace prefixes so &rcuser=Talk:Foo means User:Talk:Foo and &rcuser=User:Foo means User:User:Foo ; the latter is presumably invalid). Logevents can then enforce the user-must-exist criterion by just checking $user->isLoggedIn() and throwing an error if that returns false.

Disclaimer: I don't know offhand which validation function does this. I think it's User::getCanonicalName() or a related function; see http://svn.wikimedia.org/doc/classUser.html

Reedy added a comment.Feb 14 2010, 3:34 PM

http://www.mediawiki.org/wiki/Special:Code/MediaWiki/62402#c5774

Token requiring/checking

Retitling to cater for this

r62482 does the token requireness check :)

It seems there is only one hashed token...

		if ( !$wgUser->matchEditToken( $params['token'], $user->getName() ) )

in ApiUserrights.php

Simplest way to deal with this, would seem to be, in that module, don't have the checks done in ApiMain for this.

Or we have another method property like

public function checkToken() {
return true;
}

And default this to false for this module, and it can hash check it's own way if it wants...

Either or seems to be sensible

*It seems there is only one salted token.

(In reply to comment #5)

It seems there is only one hashed token...

if ( !$wgUser->matchEditToken( $params['token'], $user->getName() ) )

in ApiUserrights.php

There's another one in ApiRollback.php

Simplest way to deal with this, would seem to be, in that module, don't have
the checks done in ApiMain for this.

Or we have another method property like

public function checkToken() {
return true;
}

And default this to false for this module, and it can hash check it's own way
if it wants...

Either or seems to be sensible

I'd recommend introducing a function that returns the salt (usually the empty string, and false if there's no token to be checked), see also CR r62482.

r62557 does the validation of the token where possible

Token requiringness/checking is now done.

Including in the extensions in the SVN

Reedy added a comment.Feb 17 2010, 9:45 AM

Minor title tweak - rc and uc weren't what we were actually looking at changing, we were just looking at the *user parameter!

Just like validation of string/integer/timestamp etc. is centralized in ApiBase.php, perhaps a new PARAM_TYPE could be added for 'username' ?

Reedy added a comment.Dec 6 2011, 10:30 PM

(In reply to comment #11)

Just like validation of string/integer/timestamp etc. is centralized in
ApiBase.php, perhaps a new PARAM_TYPE could be added for 'username' ?

That would work.

The question is how far do we go validating it - Just as far as "Would MW let you have this username?" and if so, carrying on? And/or it will make a valid User object (though, shouldn't these 2 things be essentially the same?)?

Anomie moved this task from Unsorted to Needs Code on the MediaWiki-API board.Feb 20 2015, 7:36 PM
demon removed a subscriber: demon.Aug 19 2015, 4:41 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 19 2015, 4:41 PM
Anomie closed this task as Resolved.May 19 2018, 3:28 PM
Anomie added a subscriber: Anomie.

The three mentioned modules all use the "user" parameter type, validated by ApiBase, as of rMW381a6ce69184: API: Flag "user" parameters in various modules as type 'user'.

rMW0e8b0b41ac5b: Refactor requiresToken to getTokenSalt - Returns salt if exists, null if no… removed the matchEditToken() call from ApiUserrights, and rMW9af38c046c86: RollbackAction: Implement AJAX interface and require POST from ApiRollback. There currently is only one call to that method in ApiBase.