Deprecated: Creation of dynamic property Wikimedia\Rdbms\DBConnRef::$daoReadOnly is deprecated in /var/www/wiki/mediawiki/extensions/OAuth/src/Backend/Utils.php on line 65
From .phan/config.php:
// Database->daoReadOnly and MWOAuthToken->oauth_callback_confirmed $cfg['suppress_issue_types'][] = 'PhanUndeclaredProperty';
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T314099 PHP 8.2: Dynamic property creation is deprecated | |||
| Open | None | T324898 Deprecated: Creation of dynamic property in OAuth |
Change 877283 had a related patch set uploaded (by Reedy; author: Reedy):
[mediawiki/extensions/OAuth@master] Stop dynamic creation of DBConnRef::$daoReadOnly
Change 877284 had a related patch set uploaded (by Reedy; author: Reedy):
[mediawiki/extensions/OAuth@master] MWOAuthToken: Add #[\AllowDynamicProperties]
MWOAuthToken->oauth_callback_confirmed is interesting...
I'm not 100% if we can just add the property, and don't set it to true by default?
Various docs seem to say
Your app should verify that oauth_callback_confirmed is true
So, they need to check the value etc?
Change 877283 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Stop dynamic creation of DBConnRef::$daoReadOnly
Are these docs about the HTTP protocol or the PHP library? Codesearch suggests this property is never read. Looking very shallowly at the methods immediate before and after the one where this property is assigned, it seems https://gerrit.wikimedia.org/g/mediawiki/extensions/OAuth/+/e0f378be15cea6fcf1f86e698fd69450133e0dfc/src/Frontend/SpecialPages/SpecialMWOAuth.php#714 is possibly the one that "matters" and just as the previous call unconditionally creates the property as true, this one goes further and also unconditionally sets it as query parameter without even reading the object property.
Having said that, maybe it's called by something indirectly through reflection or object-as-array iteration or something?
Change 877284 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] MWOAuthToken: Add #[\AllowDynamicProperties]
Or serialisation/similar... I see in various references in OAuth docs online about serializing token.
Also https://github.com/wikimedia/mediawiki-extensions-OAuth/blob/031dcff94cf01ab333c2b85fc9f2eefaa7c557af/examples/testClient.php#L153-L156 suggests too (maybe it's some holdover from this example?)
The explicit assignment of the property is from rEOAU5c8056083204: Enforce 1.0a callback param handling. but that also adds some of the GET/POST parameter type instance of oauth_callback_confirmed too.
Would be good to properly check/qualify/document
Per the spec: oauth_callback_confirmed: MUST be present and set to true. The Consumer MAY use this to confirm that the Service Provider received the callback value. A bit pointless, but the OAuth spec is not known for its user-friendliness.
That's indeed the only place where the OAuth 1 token is output, IIRC, but it does use the property in JSON mode. It would be cleaner if it behaved like the other two modes and constructed the output directly.
Change #1050802 had a related patch set uploaded (by Umherirrender; author: Umherirrender):
[mediawiki/extensions/OAuth@master] build: Remove suppression of PhanUndeclaredProperty
Change #1050802 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] build: Move suppression of PhanUndeclaredProperty inline