Page MenuHomePhabricator
Create Task
Maniphest T407363

Wikipedia read access is denied without login
Closed, DuplicatePublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • visit nl.wikipedia.org without being logged in;
  • in https://nl.wikipedia.org/wiki/Willem_Holleeder#Jeugd , click on the red link for "Wim Holleeder" (first red link in the paragraph)
  • the new page says one needs to login to be able to view the page (see screenshot attached)

Note: we had a problem report in the Helpdesk on the same kind of issue in June 2025 - no bug was reported in phabricator though. That page also produces the access denied issue.
Note 2: this new report comes from VRT ticket:2025101310010185 from Oct 13th., which I was able to reproduce in Google Chrome today

What happens?:

  • requested page does not appear, instead, an "access denied" message is shown.

What should have happened instead?:

  • requested page should have been served to the visitor

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):
Chrome browser - an older version... I don't use it often. It updated to 141.0.7390.108 while I was searching for the browser version at the time of the screenshot. :(

Other information (browser name/version, screenshots, etc.):

Schermafbeelding 2025-10-15 155219.png (428×1 px, 47 KB)

Related Objects

Event Timeline

Ciell created this task.Wed, Oct 15, 2:15 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptWed, Oct 15, 2:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Aklapper triaged this task as Unbreak Now! priority.EditedWed, Oct 15, 3:35 PM

Thanks for reporting this! Which exact browsers and browser versions were used?

I cannot reproduce this using Firefox 144 in a private session.
Clicking the red link for "Wim Holleeder" on https://nl.wikipedia.org/wiki/Willem_Holleeder#Jeugd allows me to create a new article:

Screenshot From 2025-10-15 17-32-17.png (978×1 px, 181 KB)

I land on an Edit URL though. Not on a Search URL. Not sure why.

So there might be a redirect from the article address to the authentication address here. Which I do not see when trying.

DAlangi_WMF subscribed.Wed, Oct 15, 4:00 PM

Looking at the screenshot, the page you're trying to view is on the authentication domain (auth.wikimedia.org), which is used only for authentication purposes (hence, access is denied as expected).

You should be viewing/creating the target page on the actual nl Wikipedia. I'm curious how clicking on the red link takes you to the auth domain. I couldn't reproduce that part either.

Ciell added a comment.EditedWed, Oct 15, 4:17 PM

I was on nl.wikipedia.org. :)
I intentionally included the url because I also noticed it got stuck on the auth.wikimedia.org, where I should not even be when not logged in, right?

It just happened to me logged in as well:

  • be logged in
  • visit nl.wikipedia.org
  • use the search field to go to "Help:Helpdesk/Archief/jun_2025#Weer_wat_nieuws"
  • again a page with the access forbidden is shown

This time I was logged in, and my browser was FireFox 143.0.4. (new screenshot attached)
I'll add browser information to the one above as well.

Schermafbeelding 2025-10-15 180905.png (413×1 px, 39 KB)

Ciell updated the task description. (Show Details)Wed, Oct 15, 4:20 PM
Ciell updated the task description. (Show Details)
A_smart_kitten edited projects, added MediaWiki-extensions-CentralAuth, SUL3; removed MediaWiki-Core-AuthManager.Thu, Oct 16, 8:15 AM
Tgr subscribed.Thu, Oct 16, 1:19 PM

Someone tried to use the search bar from the login page and ended up on an article page URL on the auth domain, which doesn't work.

The "You need to be logged in" message is confusing (the page would still not work with that URL if you were logged in) but I don't think there's an easy way to avoid that.

Tgr closed this task as a duplicate of T381096: Hide the search form in the skin during login, signup, and other auth-domain workflows .Thu, Oct 16, 1:20 PM
Ciell added a comment.Thu, Oct 16, 1:30 PM

This 'someone' was me, and I was logged out and on a Wikipedia article page when trying to replicate the error, as described in the steps, by clicking on a red link in the article.
The second time (second screenshot) I was logged in, and navigating from a talk page to our Helpdesk by entering the words in the search bar.

(A similarity between both cases that I can see, might have been that both browsers I used (Chrome & FF) were of a slightly older version)

Aklapper lowered the priority of this task from Unbreak Now! to Needs Triage.Thu, Oct 16, 1:34 PM
Tgr added a comment.Thu, Oct 16, 3:35 PM

Seems pretty unlikely that you'd end up on auth.wikimedia.org without actually starting a login / signup, regardless of browser. Maybe if you actually tried to save an edit at the red link, as that results in temp user creation which does involve interacting with the authentication domain, but for just reading, I don't see how it could happen. All data stored in the browser is split by domain, so going to the auth page, using the search box and getting something cached can't cause that either.

Maybe you followed some link to the login page (a login link in a page protection template, or such)? Or maybe a buggy gadget or browser extension?

Ciell added a comment.EditedThu, Oct 16, 3:58 PM

.... I agree it is strange, which is why I made the screenshots and filed a ticket....

  • The user who reported this behavior to our Helpdesk in June used the Wikipedia search field (FF browser/not logged in).
  • When I experienced it yesterday, I was not logged in and clicked on a red link in an article, and I got the same error message. As I said, because I was testing a complaint that we received via VRT (former OTRS), and I was surprised to see the auth. domain in the url, even though I was not logged in (Chorme browser this time) ànd was only clicking a red link.
  • The second time I received the error message I was logged in, and used the search field (in FF).

I did not follow a link to the login page at any of the instances, and I did not try to save an edit. I was trying to visit a page.

Tgr added a comment.Sun, Oct 26, 10:00 AM

I can't see how the choice of browser would influence the outcome, but I tried searching in Firefox just in case, in various ways (click, Enter, button) and it all works as expected.

This issue seems improbable both theoretically (I can't really imagine how the auth domain would "leak" into non-authentication workflows) and in terms of impact (if search occasionally redirected to the auth domain, it would have to happen in some very niche circumstances, otherwise it would have been reported already - search is used a lot), and the reproduction steps don't work. I don't think we can do much here, other than fixing T381096: Hide the search form in the skin during login, signup, and other auth-domain workflows (my best guess is still that you and the people reporting it somehow start a login workflow by accident, and then try to use the search bar on the authentication domain; the fact that it is present at all is certainly confusing).

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits