Page MenuHomePhabricator
Create Task
Maniphest T326806

$wgOATHExclusiveRights are not given when logged in with "keep logged in" checkbox and login cookie expires / browser is closed
Open, Needs TriagePublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • install, configure and activate extension OATHAuth on a wiki
  • configure exclusive rights light this: $wgOATHExclusiveRights = ['edit', 'delete', 'move', 'movefile', 'undelete', 'reupload'];
  • enable 2FA on user
  • logout with this user
  • login with this user and check the box "keep my logged in"
  • enter 2FA code
  • close browser (alternative is to wat x minutes so the the login cookie expires)
  • open browser (alternative is to wat x minutes so the the login cookie expires)
  • revisit wiki (alternative is to wat x minutes so the the login cookie expires)

What happens?:
The cookie set by "keep me logged" in works in a way that the user is logged in like usual, BUT the extra rights from 2FA are not given. In order to get these rights again, the user must log out and the log back in.

What should have happened instead?:
User should keep the extra rights when he uses the "keep me logged in" checkbox until the LoginCookie expires and not sooner.

Software version (skip for WMF-hosted wikis like Wikipedia):
mediawiki 1.39 LTS
Other information (browser name/version, screenshots, etc.):
all browsers

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL