Page MenuHomePhabricator
Create Task
Maniphest T332414

Make ApiOptions unavailable to temporary users
Closed, ResolvedPublic2 Estimated Story Points
Actions

Assigned To
Cyndymediawiksim
Authored By
Tchanders
Mar 17 2023, 4:05 PM
Tags
Referenced Files
F36931340: T332414_IPMasking_APIOptions_NotLoggedIn_Token.png
Mar 28 2023, 8:54 PM
F36931338: T332414_IPMasking_APIOptions_TempUser_Token.png
Mar 28 2023, 8:54 PM
F36931336: T332414_IPMasking_APIOptions_Admin.png
Mar 28 2023, 8:54 PM
F36931334: T332414_IPMasking_APIOptions_NotLoggedIn.png
Mar 28 2023, 8:54 PM
F36931332: T332414_IPMasking_APIOptions_TempUser.png
Mar 28 2023, 8:54 PM
Subscribers
Aklapper
ARamirez_WMF
DLynch
drochford
GMikesell-WMF
Izno
JayCano
View All 14 Subscribers

Description

ApiOptions (used for setting preferences) throws a 'notloggedin' error for anonymous users. It should do the same for temporary users.

mw.Api#saveOptions (in JS) calls ApiOptions, and currently skips the API request for logged-out users. It should do the same for temporary users.

Testing Notes

  • As a temporary user, access the API sandbox ,e.g. http://localhost:8080/wiki/Special:ApiSandbox.
  • Select the "options" module in the "action" parameter dropdown. Fill in the required parameters, such as the token and an option that you want to change (e.g., changing the 'language' to 'es') and make the API request.
  • Check the response to ensure that you receive an error or a message indicating that temporary users cannot update user options.
  • Also Test API calls as a registered user and an anonymous user to make sure the response is as expected.

Details

SubjectRepoBranchLines +/-
Make ApiOptions unavailable to temporary usersmediawiki/coremaster+103 -51
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tchanders created this task.Mar 17 2023, 4:05 PM
Tchanders set the point value for this task to 1.
matmarex merged a task: T332413: Make ApiOptions unavailable to temporary users.Mar 17 2023, 4:09 PM
matmarex mentioned this in T330815: Disallow preference setting by temporary users.Mar 17 2023, 7:36 PM

Request from me: please also update mw.Api#saveOptions in JS, which calls ApiOptions, and currently checks for logged-out users to skip the API request.

MusikAnimal unsubscribed.Mar 17 2023, 11:15 PM
Tchanders updated the task description. (Show Details)Mar 20 2023, 9:30 AM
Tchanders changed the point value for this task from 1 to 2.
In T332414#8706302, @matmarex wrote:

Request from me: please also update mw.Api#saveOptions in JS, which calls ApiOptions, and currently checks for logged-out users to skip the API request.

Thanks - task updated

Cyndymediawiksim claimed this task.Mar 21 2023, 9:45 AM
Cyndymediawiksim moved this task from Ready ๐ŸŽฌ (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress ๐Ÿ’ช on the Anti-Harassment (AHaT Sprint 27: The Big Yellow Hat) board.
Cyndymediawiksim updated the task description. (Show Details)Mar 21 2023, 4:48 PM
gerritbot added a comment.Mar 21 2023, 4:49 PM

Change 901672 had a related patch set uploaded (by Cyndywikime; author: Cyndywikime):

[mediawiki/core@master] Make ApiOptions unavailable to temporary users

https://gerrit.wikimedia.org/r/901672

gerritbot added a project: Patch-For-Review.Mar 21 2023, 4:49 PM
Cyndymediawiksim moved this task from In Progress ๐Ÿ’ช to Code Review ๐Ÿ” on the Anti-Harassment (AHaT Sprint 27: The Big Yellow Hat) board.Mar 21 2023, 4:50 PM
Cyndymediawiksim moved this task from Code Review ๐Ÿ” to In Progress ๐Ÿ’ช on the Anti-Harassment (AHaT Sprint 27: The Big Yellow Hat) board.Mar 21 2023, 5:00 PM
Cyndymediawiksim moved this task from In Progress ๐Ÿ’ช to Code Review ๐Ÿ” on the Anti-Harassment (AHaT Sprint 27: The Big Yellow Hat) board.Mar 22 2023, 9:13 AM
โ€ข AGueyte moved this task from Code Review ๐Ÿ” to QA/Testing ๐Ÿž on the Anti-Harassment (AHaT Sprint 27: The Big Yellow Hat) board.Mar 28 2023, 3:36 PM
gerritbot added a comment.Mar 28 2023, 3:52 PM

Change 901672 merged by jenkins-bot:

[mediawiki/core@master] Make ApiOptions unavailable to temporary users

https://gerrit.wikimedia.org/r/901672

ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.3; 2023-04-03).Mar 28 2023, 4:00 PM
Maintenance_bot removed a project: Patch-For-Review.Mar 28 2023, 4:10 PM
GMikesell-WMF subscribed.Mar 28 2023, 8:54 PM

@Cyndymediawiksim I just wanted to validate with you that the results below are as expected before I move this to Done.

OS: macOS 13.2
Browsers: Safari 16.3, Chrome 111, Firefox 111
Environment: Local

API Request Response

UserAPI Options
Temp User
T332414_IPMasking_APIOptions_TempUser.png (691ร—3 px, 210 KB)
Not Logged In
T332414_IPMasking_APIOptions_NotLoggedIn.png (603ร—3 px, 195 KB)
Admin
T332414_IPMasking_APIOptions_Admin.png (571ร—3 px, 169 KB)

API Sandbox Auto-fill token- I just wanted to check that when you are not logged in, that auto-fill the token would only input "+\" compared to the rest getting numbers

T332414_IPMasking_APIOptions_TempUser_Token.png (993ร—2 px, 236 KB)
T332414_IPMasking_APIOptions_NotLoggedIn_Token.png (1ร—3 px, 250 KB)
matmarex added a comment.Mar 28 2023, 10:30 PM
In T332414#8736532, @GMikesell-WMF wrote:

API Sandbox Auto-fill token- I just wanted to check that when you are not logged in, that auto-fill the token would only input "+\" compared to the rest getting numbers

Yes, this is an old known issue documented at T40417.

Cyndymediawiksim added a comment.Mar 29 2023, 8:02 AM
In T332414#8736532, @GMikesell-WMF wrote:

@Cyndymediawiksim I just wanted to validate with you that the results below are as expected before I move this to Done.

OS: macOS 13.2
Browsers: Safari 16.3, Chrome 111, Firefox 111
Environment: Local

API Request Response

UserAPI Options
Temp User
T332414_IPMasking_APIOptions_TempUser.png (691ร—3 px, 210 KB)
Not Logged In
T332414_IPMasking_APIOptions_NotLoggedIn.png (603ร—3 px, 195 KB)
Admin
T332414_IPMasking_APIOptions_Admin.png (571ร—3 px, 169 KB)

API Sandbox Auto-fill token- I just wanted to check that when you are not logged in, that auto-fill the token would only input "+\" compared to the rest getting numbers

T332414_IPMasking_APIOptions_TempUser_Token.png (993ร—2 px, 236 KB)
T332414_IPMasking_APIOptions_NotLoggedIn_Token.png (1ร—3 px, 250 KB)

@GMikesell-WMF , lgtm.Thanks!

Tchanders moved this task from QA/Testing ๐Ÿž to Done Q2 2022-2023 on the Anti-Harassment (AHaT Sprint 27: The Big Yellow Hat) board.Mar 29 2023, 1:49 PM
Tchanders closed this task as Resolved.Apr 11 2023, 9:28 PM
tstarling subscribed.Jul 14 2023, 12:46 AM

It should do the same for temporary users.

Why?

tstarling added a comment.Jul 14 2023, 1:15 AM

I think for T336713, it would be much better if ApiOptions just worked for temporary users. Also for ULS per T330815#8782858. I don't understand what problem we're solving by denying API options for temporary users.

Tchanders added a comment.Jul 25 2023, 2:24 PM

Summarising a conversation that happened on Slack about this while I was out, for the sake of anyone reading this task who can't read that conversation. (All these points were made, not necessarily in this order):

  • The MVP ask was for temporary users to be treated like anon users when it comes to preferences (subject to rethinking later, as is every MVP decision)
  • A simple way of doing this is to give them exactly the same experience as anon users (i.e. prevent storing preferences in user_properties), rather than inventing a third tier of access to preferences
  • Doing this means that temp users will experience some of the same bugs that anon users experience (e.g. T336713)
  • user_properties bloat is a performance concern, but there are ways around this as discussed on T54777, that could allow certain preferences to be saved for temp users
  • Efforts are also underway to store some preferences in local storage, which may be an alternative solution

My thoughts are that, given the MVP ask for temporary users to be on a par with anonymous users, it's OK for them to experience the same bugs to begin with, especially since it seems there are some questions to be resolved here (do we implement T54777#7724456? how far can we use solutions like T336713#9030125?). However, I agree that the end-goal is to take advantages of the improvements we are now able to make over the current anon user experience.

Jdlrobson mentioned this in T346832: Limited width doesn't persist for IP masked users.Sep 21 2023, 12:18 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. ยท Wikimedia Foundation ยท Privacy Policy ยท Code of Conduct ยท Terms of Use ยท Disclaimer ยท CC-BY-SA ยท GPL