Employer autocomplete showing readonly error in production
Closed, ResolvedPublic
Actions

Description

Calls to the new API show the following:

Request:
https://payments.wikimedia.org/api.php?action=employerSearch&employer=applee&format=json

Response:
{"error":{"code":"readapidenied","info":"You need read permission to use this module.","*":"See https://payments.wikimedia.org/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes."}}

Details

	Subject	Repo	Branch	Lines +/-
	Change to not read mode to allow access from form	mediawiki/extensions/DonationInterface	master	+5 -0

Customize query in gerrit

Related Objects

Mentioned In: T255713: Add lockdown to vagrant fundraising role
Mentioned Here: T148582: Lockdown blocks extensions relying on API interaction

Event Timeline

jgleeson created this task.Jun 15 2020, 7:44 PM

Restricted Application added subscribers: Liuxinyu970226, Aklapper. · View Herald TranscriptJun 15 2020, 7:44 PM

• DStrine moved this task from Triage to Sprint +1 on the Fundraising-Backlog board.Jun 15 2020, 7:54 PM

• DStrine moved this task from Sprint +1 to Current Sprint on the Fundraising-Backlog board.

• DStrine added a project: Fundraising Sprint Lazy Loading Life.

We need to white list the page because we have: $wgGroupPermissions['*']['read'] = false; set.

It looks like we're using Lockdown. There's a chance this may be more challenging.

• mepps moved this task from Backlog to Doing on the Fundraising Sprint Lazy Loading Life board.Jun 17 2020, 7:19 PM

I'm currently looking at: https://phabricator.wikimedia.org/T148582 to see how I add the api to the allow list.

There are two paths:

allow the api to be accessed by any anonymous user (still making sure we can do this) - but I think it would be adding "api" to the $wgWhitelistRead array
figure out how to add authentication based on a config variable
or do both

Based on a brief conversation in chat with @AndyRussG and @jgleeson we will want to lock this down and probably add a config token for accessing it.

@Ejegg says we can try allowing it. Now I just have to make sure that's doable :).

• mepps mentioned this in T255713: Add lockdown to vagrant fundraising role.Jun 17 2020, 8:02 PM

I added Lockdown locally and am trying to match the prod settings.

Sadly adding "api" to the setting did not solve the problem :(.

So even though the settings say "Lockdown", it looks we don't have it installed. However, the problem remains the same that $wgGroupPermissions['*']['read'] = true; is blocking api access and I'm not sure how to make it accessible.

Change 606296 had a related patch set uploaded (by Mepps; owner: Mepps):
[mediawiki/extensions/DonationInterface@master] Change to require post and not read mode to allow access from form

https://gerrit.wikimedia.org/r/606296

gerritbot added a project: Patch-For-Review.Jun 18 2020, 12:01 AM

• mepps moved this task from Doing to Review on the Fundraising Sprint Lazy Loading Life board.Jun 18 2020, 3:01 PM

Change 606296 merged by jenkins-bot:
[mediawiki/extensions/DonationInterface@master] Change to not read mode to allow access from form

https://gerrit.wikimedia.org/r/606296

Maintenance_bot removed a project: Patch-For-Review.Jun 18 2020, 4:10 PM

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.38; 2020-06-23).Jun 18 2020, 5:01 PM

• mepps moved this task from Review to Pending Deployment on the Fundraising Sprint Lazy Loading Life board.Jun 22 2020, 6:36 PM

• DStrine added a project: Fundraising Sprint MySQL is YourSQL and WeSQL.Jun 23 2020, 8:55 PM

AndyRussG moved this task from Backlog to Done on the Fundraising Sprint MySQL is YourSQL and WeSQL board.Jun 24 2020, 5:28 AM

AndyRussG closed this task as Resolved.Jun 24 2020, 5:45 AM

AndyRussG claimed this task.