Page MenuHomePhabricator

Add CheckUser to the grants an OAuth consumer can use
Closed, ResolvedPublic

Description

It'd be good if OAuth consumers could request the ability to use checkuser, so that tools could be built to analyse checkuser data.


Version: unspecified
Severity: enhancement

Details

Reference
bz59929

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 22 2014, 2:37 AM
bzimport set Reference to bz59929.
bzimport added a subscriber: Unknown Object (MLST).
Deskana created this task.Jan 10 2014, 11:53 PM

This seems like a bug for Wikimedia / Site requests to have it added to $wgMWOAuthGrantPermissions in the config for WMF sites. Since checkuser isn't core MediaWiki, it seems awkward to have OAuth try to handle it.

For a minimal implementation, just add $wgMWOAuthGrantPermissions['checkuser']['checkuser'] = true; into InitializeSettings.php, and make sure the message mwoauth-grant-checkuser gets defined in Ex:WikimediaMessages. The authorization screen will show the grant under the "Miscellaneous activity" grants group, which isn't too bad since the number of potential users is so small.

(In reply to comment #2)

into InitializeSettings.php

Should that be CommonSettings.php, specifically somewhere in https://git.wikimedia.org/blob/operations%2Fmediawiki-config.git/3a1f34f81065764fb787e5290e916df44593c5fa/wmf-config%2FCommonSettings.php#L2523 ?

(In reply to comment #1)

This seems like a bug for Wikimedia / Site requests to have it added to
$wgMWOAuthGrantPermissions in the config for WMF sites. Since checkuser isn't
core MediaWiki, it seems awkward to have OAuth try to handle it.

I don't see why OAuth can't handle it. It's fine if extensions know about each other, so just do some kind of if class_exists( 'CheckUser' ) { load CU stuff; }

Because then you have a weird maze of different files to dig through to try to find where some setting is being set. When one extension needs some complex configuration based on the other then this might make sense, but for something simple like this I don't see it.

That particular suggestion would also depend on the ordering of the loading of the extensions, unless you're doing it in $wgExtensionFunctions which can have its own issues.

(In reply to comment #5)

Because then you have a weird maze of different files to dig through to try
to
find where some setting is being set. When one extension needs some complex
configuration based on the other then this might make sense, but for
something
simple like this I don't see it.

I would just stick a comment saying # Note additional settings might be conditionally set in File.php

My expectation would be that if I have CheckUser and OAuth installed, it would just work, without requiring identical configuration that every wiki needs to set up.

That particular suggestion would also depend on the ordering of the loading
of
the extensions, unless you're doing it in $wgExtensionFunctions which can
have
its own issues.

I was thinking that rather than functions using $wgMWOAuthGrantPermissions directly, you could have an intermediate function which adds the conditional ones. But I don't know the extension as well as you do, so I'll defer to your judgement :)

(In reply to comment #6)

My expectation would be that if I have CheckUser and OAuth installed, it
would
just work, without requiring identical configuration that every wiki needs to
set up.

But then where do we stop? Why not have OAuth and JoesFabulousExtension "just work" too?

Also, while looking at bug 60392, I realized another problem here with regard to wiki farms: even if the other extension itself isn't enabled on a particular wiki, the configuration needs to be present on all of them or granting doesn't show up right. But if the extension isn't installed at all, we don't want to be dumping it in the config because it won't make sense.

Change 109308 had a related patch set uploaded by Anomie:
Add checkuser OAuth group

https://gerrit.wikimedia.org/r/109308

Change 109309 had a related patch set uploaded by Anomie:
Message for checkuser OAuth group

https://gerrit.wikimedia.org/r/109309

Change 109309 merged by jenkins-bot:
Message for checkuser OAuth group

https://gerrit.wikimedia.org/r/109309

Change 109308 merged by jenkins-bot:
Add checkuser OAuth group

https://gerrit.wikimedia.org/r/109308

The grant is on the proposal form now. Thanks Brad!