Page MenuHomePhabricator
Create Task
Maniphest T350701

[S] Add a temp user type to UserDef::PARAM_ALLOWED_USER_TYPES
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

Action and REST APIs can specify allowed user types for a parameter, via UserDef::PARAM_ALLOWED_USER_TYPES. We should add a temp user type to this list:

UserDef::PARAM_ALLOWED_USER_TYPES
  'name': User names are allowed.
  'ip': IP ("anon") usernames are allowed.
  'cidr': IP ranges are allowed.
  'interwiki': Interwiki usernames are allowed.
  'id': Allow specifying user IDs, formatted like "#123".

We'll need to update UserDef::processUserto recognize a temporary user (say, 'temp'?) as different from a named user ('name').

Note
This will mean that APIs that want to be usable by temporary users will need to be updated. This will require extra work (compared to just assuming temporary users are in either the 'ip' or 'name' buckets). This decision was arrived at in T337103: Decide a standard approach for classifying temporary, IP and registered users, and Trust and Safety Product Team will communicate this work ahead of enabling temporary account auto-creation.

Details

SubjectRepoBranchLines +/-
Add 'temp' to allowed user types in various APIsmediawiki/coremaster+25 -25
ApiQueryGlobalUserInfo: Allow 'temp' type for 'user' parammediawiki/extensions/CentralAuthmaster+1 -0
Add temporary user type to UserDefmediawiki/coremaster+30 -10
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tchanders created this task.Nov 7 2023, 4:02 PM
Tchanders updated the task description. (Show Details)Nov 7 2023, 4:29 PM
Tchanders renamed this task from Add a temp user type to UserDef::PARAM_ALLOWED_USER_TYPES to [S] Add a temp user type to UserDef::PARAM_ALLOWED_USER_TYPES.Nov 7 2023, 4:31 PM
Tchanders edited projects, added Trust and Safety Product Sprint; removed Trust and Safety Product Sprint (Sprint Bodhrán).Nov 13 2023, 6:46 PM
Tchanders mentioned this in T341228: Update action API to handle temporary users.Nov 20 2023, 12:16 PM
Niharika set the point value for this task to 1.Nov 20 2023, 4:33 PM
Niharika edited projects, added Trust and Safety Product Sprint (Sprint Shamisen (20th Nov - 1st Dec. 2023)); removed Trust and Safety Product Sprint.
STran claimed this task.Nov 23 2023, 12:07 PM
STran moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Shamisen (20th Nov - 1st Dec. 2023)) board.
gerritbot added a comment.Nov 28 2023, 12:44 PM

Change 978044 had a related patch set uploaded (by STran; author: STran):

[mediawiki/core@master] Add temporary user type to UserDef

https://gerrit.wikimedia.org/r/978044

gerritbot added a project: Patch-For-Review.Nov 28 2023, 12:44 PM
STran moved this task from In Progress to Needs review on the Trust and Safety Product Sprint (Sprint Shamisen (20th Nov - 1st Dec. 2023)) board.Nov 29 2023, 10:25 AM
gerritbot added a comment.Nov 29 2023, 1:17 PM

Change 978533 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/core@master] Add 'temp' to allowed user types in various APIs

https://gerrit.wikimedia.org/r/978533

gerritbot added a comment.Nov 29 2023, 1:22 PM

Change 978534 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/extensions/CentralAuth@master] ApiQueryGlobalUserInfo: Allow 'temp' type for 'user' param

https://gerrit.wikimedia.org/r/978534

Tchanders added a comment.Nov 29 2023, 1:25 PM

This is a breaking change as described in the release notes:

UserDef::PARAM_ALLOWED_USER_TYPES now differentiates between temporary account
usernames and user accounts. Any endpoints that want temp users to be
valid but were passing a name through will break. Temp users must now be
explicitly allowed.

Existing are updated in the other patches linked to this task, by:

  1. Searching https://codesearch.wmcloud.org/search/?q=UserDef%3A%3APARAM_ALLOWED_USER_TYPES&files=&excludeFiles=&repos=
  2. Updating those params that should allow the 'temp' type (instances were found in core and CentralAuth) - and leaving those that shouldn't alone.
gerritbot added a comment.Nov 30 2023, 2:56 PM

Change 978044 merged by jenkins-bot:

[mediawiki/core@master] Add temporary user type to UserDef

https://gerrit.wikimedia.org/r/978044

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.9; 2023-12-12).Nov 30 2023, 3:01 PM
gerritbot added a comment.Nov 30 2023, 9:26 PM

Change 978534 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] ApiQueryGlobalUserInfo: Allow 'temp' type for 'user' param

https://gerrit.wikimedia.org/r/978534

gerritbot added a comment.Nov 30 2023, 9:39 PM

Change 978533 merged by jenkins-bot:

[mediawiki/core@master] Add 'temp' to allowed user types in various APIs

https://gerrit.wikimedia.org/r/978533

Maintenance_bot removed a project: Patch-For-Review.Nov 30 2023, 10:10 PM
Tchanders moved this task from Needs review to Needs QA on the Trust and Safety Product Sprint (Sprint Shamisen (20th Nov - 1st Dec. 2023)) board.Dec 1 2023, 2:30 PM
Dreamy_Jazz edited projects, added Trust and Safety Product Sprint (Sprint Lute (11th Dec. - 22nd Dec. 2023)); removed Trust and Safety Product Sprint (Sprint Shamisen (20th Nov - 1st Dec. 2023)).Dec 11 2023, 5:03 PM
Dreamy_Jazz moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Lute (11th Dec. - 22nd Dec. 2023)) board.
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Lute (11th Dec. - 22nd Dec. 2023)) board.Dec 12 2023, 2:32 PM
dom_walden subscribed.

I tried calling a few APIs which have parameters of type user, passing named and temporary users, on wikis with and without temporary users enabled.

Passing a temporary username to a user parameter which accepts temp users works fine.

The only difference I can see when calling an API is when the user parameter accepts only named users and you are on a wiki with temporary users enabled. If you try to pass a temporary username, it will return something like:

{
    "error": {
        "code": "baduser",
        "info": "Invalid value \"*Unregistered #nnn\" for user parameter \"wlowner\".",
        ...

On a wiki with temporary users disabled, temporary usernames are counted as named users so the APIs work as they did previously.

Test environments: https://en.wikipedia.beta.wmflabs.org and https://de.wikipedia.beta.wmflabs.org MediaWiki 1.42.0-alpha (6c07e2a) 02:15, 12 December 2023.

Dreamy_Jazz subscribed.Jan 29 2024, 6:18 PM

@STran can this ticket be closed?

Tchanders closed this task as Resolved.Jan 30 2024, 4:55 PM
In T350701#9495513, @Dreamy_Jazz wrote:

@STran can this ticket be closed?

Yes - thanks.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL