Page MenuHomePhabricator
Create Task
Maniphest T309846

🟦️ Authenticate and authorize as mediawiki user when creating statement using POST /entities/items/{item_id}/statements
Closed, ResolvedPublic8 Estimated Story Points
Actions

Description

As a gadget user I want statements created with my tool by a logged-in user to be attributed to that user so that the user gets credit for their contributions.
As a wiki administrator I want user permission to be taken into account so that illegal edits are not possible.

Bearer token authorization using Authorization HTTP header is to be used.

In case of authentication errors, including not having permission to create a statement, behaviour consistent with GET routes of Wikibase REST API, and with Mediawiki REST API is to be used, even if it was not 100% correct (e.g. using 403 response code instead of 401, or the other way round).

Note that 2020 Wikibase REST API proposal suggests responding with HTTP 501 or 503 in case of authentication errors which seems not correct.

No Wikibase-specific permissions have to be checked, but the user needs to have edit permissions. Make sure that *protected* items are also checked correctly.

Related Objects
Search...

Event Timeline

WMDE-leszek created this task.Jun 3 2022, 10:07 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 3 2022, 10:07 AM
WMDE-leszek mentioned this in T306667: 🟩️ Create a statement on an item via POST /entities/items/{item_id}/statements.Jun 3 2022, 10:08 AM
WMDE-leszek added a project: Story.Jun 3 2022, 10:40 AM
WMDE-leszek added a parent task: T301860: Enable reading and modifying a statement of item or property using REST API.
Jakob_WMDE renamed this task from Authenticate as mediawiki user when creating statement using POST /entities/items/{item_id}/statements to Authenticate and authorize as mediawiki user when creating statement using POST /entities/items/{item_id}/statements.Jun 8 2022, 10:56 AM
Jakob_WMDE updated the task description. (Show Details)
Jakob_WMDE set the point value for this task to 8.
WMDE-leszek moved this task from Backlog to Sprint 9 on the Wikibase Product Platform (v1) board.Jun 22 2022, 10:30 AM
WMDE-leszek edited projects, added Wikibase Product Platform (v1) (Sprint 9); removed Wikibase Product Platform (v1).
Jakob_WMDE added subscribers: Ollie.Shotton_WMDE, Silvan_WMDE, Jakob_WMDE.EditedJun 22 2022, 2:41 PM

Notes from task breakdown:

  • authentication
  • authorization2: need to check whether user can edit the particular item
    • prerequisites @Silvan_WMDE creates ticket
      • create a PermissionChecker service interface with a canEdit( itemId $id, User $user ): bool method
      • create a User domain class containing the username
    • implement PermissionChecker using UserFactory and EntityPermissionChecker @Jakob_WMDE creates ticket
    • use PermissionChecker in the use case after calling revisionMetadataRetriever @Ollie.Shotton_WMDE creates ticket
      • return error response if not allowed
      • e2e test with protected item

Questions:
What is the response for protected items?

Jakob_WMDE renamed this task from Authenticate and authorize as mediawiki user when creating statement using POST /entities/items/{item_id}/statements to 🟦️ Authenticate and authorize as mediawiki user when creating statement using POST /entities/items/{item_id}/statements.Jun 22 2022, 2:42 PM
WMDE-leszek added a comment.Jun 22 2022, 8:14 PM

What is the response for protected items?

code:protected-page
message:`This page is currently protected and can only be edited by certain users.

Jakob_WMDE added a comment.Jun 23 2022, 9:28 AM

Per daily discussion: instead of responding with specific errors for different reasons, let's keep it simple for now and respond with the same kind of error in all cases. This error should look like the one MediaWiki responds with when then route handler's needsWriteAccess check fails.

Silvan_WMDE moved this task from To Do to Product Verification on the Wikibase Product Platform (v1) (Sprint 9) board.Jul 1 2022, 1:52 PM

Turns out that the canEdit() check we are performing in the PermissionChecker may not only fail for protected pages, but also for other reasons, such as (partial) user blocks. Since we already had agreed, that the error response should be the same as the MediaWiki framework response, when the route handler's needsWriteAccess check fails, we are now returning a generic "permission denied" error from the use case. However, that never makes it to the surface, because the route handler detects it and turns it into the framework's standard 403 Forbidden response.

Can be tested on https://wikidata.beta.wmflabs.org/wiki/Q111, which I marked as protected for two weeks.

WMDE-leszek added a comment.Jul 4 2022, 9:48 PM

Tested a few scenarios, and looks good. Verified.

WMDE-leszek moved this task from Product Verification to Done on the Wikibase Product Platform (v1) (Sprint 9) board.Jul 4 2022, 9:48 PM
WMDE-leszek closed this task as Resolved.Jul 11 2022, 9:18 AM
WMDE-leszek claimed this task.
WMDE-leszek closed subtask T311221: 🟦️ Use the newly created `PermissionChecker` in the AddItemStatement use case as Resolved.
WMDE-leszek closed subtask T311200: 🟦️ Authorization prerequisites as Resolved.
WMDE-leszek closed subtask T311154: 🟦️ Implement REST API specific PermissionChecker as Resolved.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits