Page MenuHomePhabricator
Create Task
Maniphest T43201

UserLoadFromSession considered evil
Closed, ResolvedPublic
Actions

Description

Running code from CentralAuth, AbuseFilter, TitleBlacklist etc. which collectively call half the codebase does not seem like a good thing to be doing while the main context user is half-initialised and has lots of methods which will fail horribly if you try to call them (e.g. T43198).

Perhaps initialisation of the User object from the session can be moved to a function called from Setup.php, such as RequestContext::getUser(). It's not lazy-loaded anyway, User::newFromSession() has always been called unconditionally. Then CentralAuth (and anything else that uses the UserLoadFromSession hook) can be called without User::load() in its call stack.

Version: unspecified
Severity: normal
See Also: T60731

Details

Reference
bz41201

Related Objects
Search...

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
· · ·
ResolvedTgrT43201 UserLoadFromSession considered evil
OpenNoneT89459 Modernize MediaWiki authentication system (AuthManager)
· · ·

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 1:01 AM
bzimport added projects: MediaWiki-extensions-CentralAuth, platformeng.
bzimport set Reference to bz41201.
bzimport added a subscriber: Unknown Object (MLST).
tstarling created this task.Oct 19 2012, 3:42 AM
Anomie added a comment.Dec 20 2013, 4:20 PM

Looking at WMF-deployed extensions, I see that OAuth and CentralAuth use this hook.

OAuth checks the request's Title object to avoid running on Special:OAuth itself (Special:OAuth needs to do special stuff). To be able to call UserLoadFromSession in Setup.php, we'd either have to change this check or create Title in Setup.php too, before the $wgExtensionFunctions hooks.

CentralAuth doesn't seem to directly do anything that would blow up if called from Setup.php. But it might call the AbortAutoAccount and AuthPluginAutoCreate hooks, which might have the same sort of expectations of being called after Setup.php as OAuth.

greg edited projects, added MediaWiki-Core-Team; removed platformeng.Dec 8 2014, 10:15 PM
werdna unsubscribed.Dec 10 2014, 5:14 PM
Legoktm added a project: MediaWiki-Core-AuthManager.Feb 6 2015, 7:07 PM
Legoktm set Security to None.
mmodell raised the priority of this task from Medium to High.Feb 14 2015, 1:42 AM
mmodell subscribed.

priority: high because this is batshit insane and can't be justified.

bd808 subscribed.Feb 14 2015, 1:46 AM

See also T56193: Warning: Recursion detected in RequestContext::getLanguage in /includes/context/RequestContext.php on line 284

RobLa-WMF removed a project: MediaWiki-Core-Team.Apr 8 2015, 10:25 PM
Nemo_bis subscribed.Jul 18 2015, 7:24 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 18 2015, 7:24 PM
Tgr updated the task description. (Show Details)EditedAug 27 2015, 6:27 AM
Tgr added a subtask: T89459: Modernize MediaWiki authentication system (AuthManager).
Tgr subscribed.

AuthManager deprecates UserLoadFromSession. We'll see if the new code is less evil.

Coming up with documentation standards for "this method might be called in a pre-auth context" sounds like a good idea.

Tgr reopened subtask T89459: Modernize MediaWiki authentication system (AuthManager) as Open.Aug 27 2015, 7:08 AM
Tgr closed this task as Resolved.Apr 17 2016, 8:02 AM
Tgr claimed this task.

Fixed a while ago in SessionManager; See Setup.php L715-780 and L833-843.

MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-CentralAuth board.Dec 15 2016, 4:21 PM
Anomie mentioned this in T177478: Unable to change user settings.Oct 5 2017, 6:02 PM
Anomie mentioned this in T240083: "User::loadFromSession called before the end of Setup.php" (violation by Wikibase/ULS) [Story Points 5].Dec 11 2019, 7:15 PM
Aklapper removed subscribers: Anomie, wikibugs-l-list.Oct 16 2020, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL