Page MenuHomePhabricator

🟦️ Authenticate and authorize as mediawiki user when creating statement using POST /entities/items/{item_id}/statements
Closed, ResolvedPublic8 Estimated Story Points

Description

As a gadget user I want statements created with my tool by a logged-in user to be attributed to that user so that the user gets credit for their contributions.
As a wiki administrator I want user permission to be taken into account so that illegal edits are not possible.

Bearer token authorization using Authorization HTTP header is to be used.

In case of authentication errors, including not having permission to create a statement, behaviour consistent with GET routes of Wikibase REST API, and with Mediawiki REST API is to be used, even if it was not 100% correct (e.g. using 403 response code instead of 401, or the other way round).

Note that 2020 Wikibase REST API proposal suggests responding with HTTP 501 or 503 in case of authentication errors which seems not correct.

No Wikibase-specific permissions have to be checked, but the user needs to have edit permissions. Make sure that *protected* items are also checked correctly.

Event Timeline

Jakob_WMDE renamed this task from Authenticate as mediawiki user when creating statement using POST /entities/items/{item_id}/statements to Authenticate and authorize as mediawiki user when creating statement using POST /entities/items/{item_id}/statements.Jun 8 2022, 10:56 AM
Jakob_WMDE updated the task description. (Show Details)
Jakob_WMDE set the point value for this task to 8.

Notes from task breakdown:

  • authentication
  • authorization2: need to check whether user can edit the particular item
    • prerequisites @Silvan_WMDE creates ticket
      • create a PermissionChecker service interface with a canEdit( itemId $id, User $user ): bool method
      • create a User domain class containing the username
    • implement PermissionChecker using UserFactory and EntityPermissionChecker @Jakob_WMDE creates ticket
    • use PermissionChecker in the use case after calling revisionMetadataRetriever @Ollie.Shotton_WMDE creates ticket
      • return error response if not allowed
      • e2e test with protected item

Questions:
What is the response for protected items?

Jakob_WMDE renamed this task from Authenticate and authorize as mediawiki user when creating statement using POST /entities/items/{item_id}/statements to 🟦️ Authenticate and authorize as mediawiki user when creating statement using POST /entities/items/{item_id}/statements.Jun 22 2022, 2:42 PM

What is the response for protected items?

code:protected-page
message:`This page is currently protected and can only be edited by certain users.

Per daily discussion: instead of responding with specific errors for different reasons, let's keep it simple for now and respond with the same kind of error in all cases. This error should look like the one MediaWiki responds with when then route handler's needsWriteAccess check fails.

Turns out that the canEdit() check we are performing in the PermissionChecker may not only fail for protected pages, but also for other reasons, such as (partial) user blocks. Since we already had agreed, that the error response should be the same as the MediaWiki framework response, when the route handler's needsWriteAccess check fails, we are now returning a generic "permission denied" error from the use case. However, that never makes it to the surface, because the route handler detects it and turns it into the framework's standard 403 Forbidden response.

Can be tested on https://wikidata.beta.wmflabs.org/wiki/Q111, which I marked as protected for two weeks.

Tested a few scenarios, and looks good. Verified.