Page MenuHomePhabricator
Create Task
Maniphest T282629

/developer-settings does not guard against anon users
Closed, ResolvedPublicBUG REPORT
Actions

Description

List of steps to reproduce (step by step, including full links if applicable):

What happens?:
The view tries to load http://localhost:8000/api/oauth/authorized/?page=1 and gets a 401 response

What should have happened instead?:
The route should kick you out or display a notice that this feature only works when you are logged in without triggering the api call.

Details

SubjectRepoBranchLines +/-
Guard /developer-settings against anon userswikimedia/toolhubmain+25 -5
Customize query in gerrit

Event Timeline

bd808 created this task.May 11 2021, 11:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 11 2021, 11:07 PM
bd808 added a comment.May 11 2021, 11:09 PM

One idea:

  • split the 3 tabs out into separate components
  • make the "client apps" tab that anons can see the default tab
  • guard the "register apps" and "authorized apps" tabs even being rendered based on authentication status
bd808 added a comment.May 11 2021, 11:11 PM

The 401 error being shown as "Oops! An error occurred: [object Object]" is also a bug. The JSON payload of the 401 response has a better message of "Authentication credentials were not provided." inside it.

srishakatux claimed this task.May 19 2021, 10:55 PM
gerritbot added a comment.Jun 2 2021, 9:43 PM

Change 697868 had a related patch set uploaded (by Srishakatux; author: srishakatux):

[wikimedia/toolhub@main] Guard /developer-settings against anon users

https://gerrit.wikimedia.org/r/697868

gerritbot added a project: Patch-For-Review.Jun 2 2021, 9:43 PM
srishakatux added a comment.Jun 2 2021, 9:47 PM
In T282629#7080357, @bd808 wrote:

The 401 error being shown as "Oops! An error occurred: [object Object]" is also a bug. The JSON payload of the 401 response has a better message of "Authentication credentials were not provided." inside it.

@bd808 I see that users.js is not relying at all on getFailurePayload. Can take this up as part of T268774 next.

gerritbot added a comment.Jun 3 2021, 9:54 PM

Change 697868 merged by jenkins-bot:

[wikimedia/toolhub@main] Guard /developer-settings against anon users

https://gerrit.wikimedia.org/r/697868

srishakatux closed this task as Resolved.Jun 3 2021, 9:55 PM
Maintenance_bot removed a project: Patch-For-Review.Jun 3 2021, 10:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL