Page MenuHomePhabricator
Create Task
Maniphest T267755

OAuth extension - REST - show error (rights restrictions) messages instead of an object '{}'
Closed, ResolvedPublic5 Estimated Story Points
Actions

Description

For instance - ".../oauth2/client" [GET] will return (in case email field is restricted for a user):

Expected behavior:

screen (1).png (327×514 px, 17 KB)

Observed behavior:

screen_.png (313×504 px, 17 KB)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
ListClients.php: Filter clients response datamediawiki/extensions/OAuthmaster+10 -5
Customize query in gerrit

Related Objects
Search...

Event Timeline

Art.tsymbar created this task.Nov 11 2020, 6:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 11 2020, 6:42 PM
Art.tsymbar updated the task description. (Show Details)Nov 11 2020, 6:43 PM
Art.tsymbar added a parent task: T264457: Client secret shared between clients.
Art.tsymbar added a subscriber: apaskulin.Nov 11 2020, 6:47 PM
Art.tsymbar added a comment.Nov 11 2020, 6:51 PM

The Idea is just to: make DAOAccessControl::get() to return a string - like "$msg->text()" and not an $msg obj. as now.

Unfortunatelly __toString() will not be called in this case, only typecast can help but this is not an option to add "(string)" averywhere where $cmrAc->getXXXX() is used.

apaskulin triaged this task as High priority.Nov 12 2020, 6:49 PM
apaskulin moved this task from Backlog to Current sprint Backlog on the Platform Team Workboards (S&F Workboard) board.
Pchelolo added a comment.Nov 16 2020, 3:45 PM

Usually if some field in inaccessible in REST API we just set it to null or omit it instead of setting it to the error message. How would you expect the client to differentiate between a real email and an error message?

BPirkle added a comment.Nov 16 2020, 4:32 PM

The issue that @Pchelolo mentioned applied not only to the client, but also to internal code. If DAOAccessControl::get() always returns a string, internal callers don't have a good way to tell whether the call succeeded.

If I'm understanding Art's concern, in the current code functions like getEmail() return a Message object if the field is not available, which (when passed through all our plumbing for generating responses) end up returning the string "{}". So to omit it with current code, we'd need to test the return value everywhere that a Message object could be returned. That'd be painfully messy if we did it manually in all cases.

If we did actually want to return the error message to the client, I'm not sure why typecasting everywhere is not an option. It'd be a lot of places, but not an insurmountable amount.

If we prefer to omit/null the value (which makes more sense to me based on other things we've done in REST, thanks Petr for mentioning that) what if we wrapped these calls in a helper function in ListClients? Something like:

private function stringOrNull( $field ) {
  return isstring( $field ) ? $field : null;
}

We could probably come up with a better function name, and I'm not sure if it should be private or protected. But you get the idea.

Alternatively, if we choose to omit, we could have DAOAccessControl::get() return null unless an optional flag was set to return the Message object. I haven't checked the code to see what that might break. It might be okay, or it might be really bad.

apaskulin renamed this task from OAuth extension - REST - show error (rights restrictions) messages intead of an object '{}' to OAuth extension - REST - show error (rights restrictions) messages instead of an object '{}'.Nov 16 2020, 6:14 PM
Art.tsymbar moved this task from Current sprint Backlog to In Progress/Doing on the Platform Team Workboards (S&F Workboard) board.Nov 17 2020, 10:37 AM
Art.tsymbar set the point value for this task to 5.Nov 17 2020, 6:00 PM
apaskulin lowered the priority of this task from High to Medium.Nov 24 2020, 12:13 AM
gerritbot added a comment.Dec 3 2020, 10:03 AM

Change 645044 had a related patch set uploaded (by Vadim Kovalenko; owner: Vadim Kovalenko):
[mediawiki/extensions/OAuth@master] ListClients.php: Show error message

https://gerrit.wikimedia.org/r/645044

gerritbot added a project: Patch-For-Review.Dec 3 2020, 10:03 AM
Helga_sf moved this task from In Progress/Doing to In Progress/In Review on the Platform Team Workboards (S&F Workboard) board.Dec 7 2020, 4:34 PM
apaskulin mentioned this in T269880: Unexpected email-not-confirmed error.Dec 10 2020, 7:34 PM
gerritbot added a comment.Dec 14 2020, 6:51 PM

Change 645044 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] ListClients.php: Filter clients response data

https://gerrit.wikimedia.org/r/645044

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.22; 2020-12-15).Dec 14 2020, 7:00 PM
Maintenance_bot removed a project: Patch-For-Review.Dec 14 2020, 7:11 PM
Vlad.shapik moved this task from In Progress/In Review to PM Sign Off on the Platform Team Workboards (S&F Workboard) board.Dec 17 2020, 1:04 PM
apaskulin closed this task as Resolved.Jan 8 2021, 12:26 AM
apaskulin moved this task from PM Sign Off to Done on the Platform Team Workboards (S&F Workboard) board.

Resolving. Thanks, Vlad!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits