Page MenuHomePhabricator
Create Task
Maniphest T299050

Remove access to the IPInfo API if the beta feature is not enabled [M]
Closed, ResolvedPublic
Actions

Description

Background

If IPInfo is a beta feature on some wiki, there are some circumstances under which a user can access IPInfo's API while having the beta feature disabled. This should not be possible: if the beta feature is disabled for a user, they shouldn't have access to any part of it.

See T292802#7613187 for more details.

Acceptance criteria

  • If a user has the right to use IPInfo, but has it disabled as a beta feature, they should not be able to access the IPInfo API

Notes

  • If a wiki does not have the BetaFeatures extension enabled, IPInfo users with the right to use IPInfo should still be able to access all parts of it

Details

SubjectRepoBranchLines +/-
Disallow API access when feature is not beta enabledmediawiki/extensions/IPInfomaster+18 -0
Customize query in gerrit

Related Objects

Event Timeline

Tchanders created this task.Jan 12 2022, 1:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 12 2022, 1:42 PM
Tchanders mentioned this in T292802: IP Info feature should be made available as a Beta feature for launch [M].Jan 12 2022, 1:44 PM
Tchanders moved this task from Untriaged to Pre-estimation/Triage on the Anti-Harassment board.Jan 12 2022, 1:46 PM
Prtksxna renamed this task from Remove access to the IPInfo API if the beta feature is not enabled to Remove access to the IPInfo API if the beta feature is not enabled [M].Jan 12 2022, 2:49 PM
Prtksxna moved this task from Pre-estimation/Triage to The Letter Song on the Anti-Harassment board.Jan 12 2022, 3:00 PM
Prtksxna edited projects, added Anti-Harassment (The Letter Song); removed Anti-Harassment.
STran claimed this task.Jan 13 2022, 11:38 AM
STran moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment (The Letter Song) board.
gerritbot added a comment.Jan 18 2022, 2:11 PM

Change 754942 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/IPInfo@master] Disallow API access when feature is not beta enabled

https://gerrit.wikimedia.org/r/754942

gerritbot added a project: Patch-For-Review.Jan 18 2022, 2:11 PM
STran moved this task from In Progress 💪 to Code Review 🔍 on the Anti-Harassment (The Letter Song) board.Jan 18 2022, 2:15 PM
Tchanders moved this task from Code Review 🔍 to QA/Testing 🐞 on the Anti-Harassment (The Letter Song) board.Jan 18 2022, 4:50 PM
gerritbot added a comment.Jan 18 2022, 9:18 PM

Change 754942 merged by jenkins-bot:

[mediawiki/extensions/IPInfo@master] Disallow API access when feature is not beta enabled

https://gerrit.wikimedia.org/r/754942

ReleaseTaggerBot added a project: MW-1.38-notes (1.38.0-wmf.19; 2022-01-24).Jan 18 2022, 10:00 PM
Maintenance_bot removed a project: Patch-For-Review.Jan 18 2022, 10:10 PM
dom_walden moved this task from QA/Testing 🐞 to Done: Q2 2021-22 on the Anti-Harassment (The Letter Song) board.Jan 20 2022, 10:45 AM
dom_walden subscribed.

The API will only return data if:

  • The Beta Features extension is installed and all three user options (ipinfo-beta-feature-enable, ipinfo-enable and ipinfo-use-agreement) are turned on
  • The Beta Features extension is not installed and both ipinfo-enable and ipinfo-use-agreement are turned on

If ipinfo-enable and ipinfo-use-agreement are on but ipinfo-beta-feature-enable is off the API will return 403: You do not have permission to perform the action.

Test environments:

  • https://en.wikipedia.beta.wmflabs.org IP Info 0.0.0 (961af0e) 14:10, 18 January 2022 (for testing with Beta Features extension installed)
  • local docker IP Info 0.0.0 (b2f2568) 08:17, 20 January 2022 (for testing with Beta Features extension not installed)
Niharika closed this task as Resolved.Feb 17 2022, 1:41 AM
Niharika moved this task from Backlog to Closed on the IP Info board.Aug 8 2022, 7:58 PM
AGueyte mentioned this in T263442: Display API failure errors in the IPInfo popup.Aug 12 2022, 3:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits